I might be wrong on this but I wanted to check anyway. Lets say we run some html code in an iFrame to allow a user to authenticate with google.
1. The user clicks ok to allow access to their details.
2. Google sends us an IDtoken containing the user details.
3. We check the token to make sure it has been signed by google.
4. We check that the token has been issued for our website domain.
5. We grant access to our website if steps 3 & 4 are met.
I could be wrong but i believe there is a potential security flaw in WIX with regards to step 4.
This means that in order to allow successful google authentication in this scenario all WIX websites would have to authorize the domain filesusr.com.
So if we consider the security check in step 4 a malicious user could easily bypass the security checks. All they would have to do is create a WIX website with iFrame authentication then get a user to click on the authentication link then forward the resulting token to any other WIX website.
An official WIX website would check that the token had been signed by google and that it was for domain filesusr.com. Both checks would pass even though the token was not for their website. A malicious user could then potentially get access to user info on another persons WIX website.
I must be missing something here, is there something preventing this from happening ?