Many websites have added convenience to account sign-in with the simplified “Log in with Google” button. While this provides people with easy access to online resources, it also poses a safety and security risk for users in a Google Workspace for Education domain. Teachers and students can log in to other websites, even non-approved ones, using their school Google account information, and a common question from Collaborative members is “can we stop this?” The good news is — now Google admins can!
Access restriction
Previously, the only way to ameliorate this challenge was to try putting restrictions on some scopes, but Google admins could not “block all.” When users can bypass those restrictions and log in to websites with OAuth options, those networks can request authorization into their accounts. This means any random site could have a connection to your institution’s user data.
With a recent Google Workspace update, ALL third-party API access to Google Workspace and user data can be blocked. When enabled, the Block all third-party API access setting blocks all OAuth scopes, including sign-in scopes, so users will no longer be able to log in to third-party apps and websites with their school Google account.
Security solution
A few key points to keep in mind:
-
This is a domain-wide setting that cannot be customized per user
-
Old applications tokens are not revoked with this setting
-
Warning: If you enable this setting, there will be a major disruption if a proper trusted list and approval process are not implemented
While this is a valuable feature, blocking third-party access isn’t a hard and fast rule in the realm of EDU best practices. It depends strictly on your institution’s policy and security practices, and it is recommended that there is consistency in how other apps and extensions are configured.
To enable the setting, navigate to the Admin console:
Admin console > Security > API controls > Block all third-party API access
Check out this video to get a tour of where this setting is configured, the impact enabling the setting will have, and a review of the API access section:
This new block all third-party API access setting is an expansion of what we could already do with OAuth settings. I would say, it’s the last “big hurdle” in this area. With so many additions to settings and reports and a changing Google Workspace environment, it is important to ensure your current app management and approval process still meets the needs of your institution. Does it still make sense, or would an in-depth assessment and review of your domain be a good summer project?
To keep up with the latest in Google for Education updates, and expert-facilitated discussions on what they mean and their impact on administrators, teachers, and students, join the Collaborative. Be a part of a community of like-minded EdTech and IT professionals at other schools, and get discounts on CDW Amplified for Education products and services.