I'm creating a service to safeguard personal data that is being sent over email. Because gmail is a common transport, I'd like to allow users to authenticate to my service, which holds their data, using Gmail. But Google holds the username (their gmail address) and also signs the access tokens for my service. Does that mean that an attacker with access to Google authentication data would be able to access my service?
A word to all you practical thinkers out there -- I'm aware that my service has a much higher risk of being compromised than Google's services. I'd appreciate a technical assessment of whether signing in via OAuth from any provider gives the identity provider access to data held on the OAuth-consuming service.
