anavem.
Back to Glossary
O

OAuth (Open Authorization)

OAuth is an open authorization framework that allows applications to access user data or services on another platform without exposing the user’s password.

What is OAuth?

OAuth (Open Authorization) is a widely used authorization protocol that enables a third-party application to obtain limited, delegated access to a user's resources hosted by another service.

Instead of sharing credentials, OAuth uses access tokens issued by an authorization server. These tokens define what an app can access and for how long.

OAuth is foundational to modern cloud platforms, APIs, and SaaS ecosystems.

Why OAuth matters

OAuth is critical because it:

  • Eliminates password sharing between services
  • Enables granular, scoped access (least privilege)
  • Supports modern authentication flows for web, mobile, and API apps
  • Scales securely across cloud and enterprise environments

However, misconfigured or abused OAuth implementations can become high-impact attack vectors.

OAuth vs authentication

OAuth is often confused with authentication, but they are not the same:

  • OAuth: authorization (what an app is allowed to do)
  • Authentication: identity verification (who the user is)

OAuth is frequently combined with OpenID Connect (OIDC), which adds authentication on top of OAuth.

Core OAuth roles

An OAuth flow involves several components:

  • Resource Owner -- the user who owns the data
  • Client -- the application requesting access
  • Authorization Server -- issues access tokens
  • Resource Server -- hosts the protected APIs/data

Common OAuth flows (grant types)

Typical OAuth flows include:

1) Authorization Code (with PKCE)

  • Most secure and recommended for modern apps
  • Used by web and mobile applications

2) Client Credentials

  • Machine-to-machine access (no user involved)

3) Device Code Flow

  • Used by devices without browsers (TVs, CLI tools)

4) Implicit Flow (legacy / discouraged)

  • Historically used for SPAs, now largely deprecated

OAuth tokens explained

OAuth relies on different token types:

  • Access Token -- short-lived token used to call APIs
  • Refresh Token -- long-lived token used to obtain new access tokens
  • ID Token (OIDC) -- contains user identity claims

Poor token handling is a common cause of OAuth-related breaches.

OAuth in cloud and enterprise environments

OAuth is heavily used in:

  • Microsoft 365 and Entra ID
  • Google Workspace
  • GitHub, GitLab, Slack, Salesforce
  • API gateways and microservices
  • CI/CD pipelines and automation tools

In these environments, OAuth often controls API access, SaaS integrations, and automation identities.

OAuth as an attack vector

Attackers increasingly abuse OAuth to gain stealthy access:

  • Malicious OAuth apps requesting excessive permissions
  • Phishing users into granting OAuth consent
  • Long-lived refresh tokens used as persistence
  • Compromised service principals or app registrations
  • Token theft from endpoints or CI pipelines

OAuth-based attacks can bypass MFA and password resets if not properly monitored.

How to secure OAuth

Best practices include:

  • Enforcing least-privilege scopes
  • Restricting third-party app consent
  • Monitoring OAuth app registrations and token usage
  • Limiting refresh token lifetimes
  • Auditing API permissions regularly
  • Using Conditional Access and risk-based policies

OAuth security is as much an identity governance problem as a technical one.

Common misconceptions

  • "OAuth means the app is trusted"
  • "Revoking a user password revokes OAuth access"
  • "OAuth is only for developers"
  • "Cloud MFA automatically protects OAuth tokens"