add

carlospolop · carlospolop · commit 818915187223 · 2025-03-28T11:45:16.000+01:00
diff --git a/src/images/workspace_oauth.png b/src/images/workspace_oauth.png
diff --git a/src/pentesting-cloud/workspace-security/README.md b/src/pentesting-cloud/workspace-security/README.md
@@ -50,6 +50,18 @@ If you have compromised some credentials or the session of the user check these
 gws-persistence.md
 {{#endref}}
 
+## Context-Aware Access
+
+- **Context-Aware Access**: This is a security feature that allows organizations to enforce access policies based on the context of the user, device, and location. It enables granular control over who can access specific application within Google Workspace, enhancing security by ensuring that only trusted users and devices can access sensitive data.
+
+It requires specific **licenses to be able to use it.**
+
+This service basically allows you to create **Context-Aware access levels** which allow to configure different conditions that must be met. Access-level conditions contain attributes you can select, such as device policy, IP subnet, or another access level.
+
+Then, it's possible to **assign these access levels to apps**. It's possible to assign more than one access level to an app, and the user must meet all the conditions of all the access levels assigned to that app.
+
+
+
 ## Account Compromised Recovery
 
 - Log out of all sessions
diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
@@ -157,6 +157,14 @@ It's possible to do something using gcloud instead of the web console, check:
 ../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
 {{#endref}}
 
+#### OAuth app protections
+
+By default it's configured that any user inside a Workspace organization **can accecpt any OAuth app with any permissions**, but it's possible to restrict those to only apps that only request basic info needed for Sign in with Google or to not allow any third-party apps.
+
+Moreover, even not alowing to trust external third-party apps it's possible to allow to **trust any internal apps** (apps created inside the organization). This trust is configured by **default**.
+
+<figure><img src="../../../images/workspace_oauth.png" alt=""><figcaption></figcaption></figure>
+
 ## References
 
 - [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
