OAuth Security Risks: A Guide to App Permissions

How OAuth Works — and Why It's a Security Problem

OAuth (Open Authorization) is the protocol that powers "Sign in with Google" and "Connect to Microsoft 365" buttons across the SaaS ecosystem. It's designed to let users grant third-party applications access to their data without sharing their password.

Here's the simplified flow:

An employee clicks "Sign in with Google" on a third-party SaaS application
Google shows a consent screen listing the permissions the app requests
The employee clicks "Allow"
The application receives an OAuth token granting the requested permissions
The application can now access the employee's data within the granted scope — often indefinitely

OAuth solved a real problem: it eliminated the need for users to share passwords with third-party apps. But it created a new one. Every OAuth grant is a persistent, often over-permissioned backdoor into your corporate data.

The consent screen — the user's one chance to evaluate what they're authorizing — is typically clicked through in seconds. Most employees don't read it. Even those who do often lack the technical context to evaluate whether "Read, compose, send, and permanently delete all your email" is a reasonable permission for a meeting scheduling app.

The Scale of the OAuth Problem

The numbers paint a concerning picture:

The average mid-market company has 150-300 OAuth-connected applications
56% of these applications have overly permissive access — they request more permissions than they need
35% of OAuth grants are for applications IT has never evaluated for security
20% of OAuth tokens remain active for applications that are no longer in use
The average employee has granted OAuth access to 8-12 third-party applications

Each of these OAuth grants represents a connection between your corporate data and a third-party application. And unlike traditional access controls, OAuth grants are:

Created by individual employees without IT oversight
Persistent — they don't expire unless explicitly revoked
Broadly scoped — a single grant can provide access to all email, all files, or all contacts
Invisible — most organizations have no monitoring or alerting for new OAuth grants

The Top 5 OAuth Security Risks

1. Overly Permissive Access Scopes

OAuth permissions are defined in "scopes" — categories of access that range from narrow (read-only access to profile information) to extremely broad (full read/write access to all data).

Many applications request far more access than they need. A project management tool might request:

gmail.readonly — Read all email
drive — Full access to Google Drive files
calendar — Read and write calendar events
contacts.readonly — Read all contacts

Does a project management tool need to read all your email? Almost certainly not. But developers request broad scopes because it's easier than implementing fine-grained access, and users rarely push back.

The risk: An application with overly broad permissions can access far more data than its functionality requires. If that application is compromised, the attacker inherits all of those permissions.

2. Dormant OAuth Tokens

OAuth tokens persist until they are explicitly revoked. When an employee stops using a SaaS application, the OAuth connection often remains active indefinitely.

These dormant tokens are particularly dangerous because:

The application may stop receiving security updates or maintenance
The vendor may be acquired by a less trustworthy entity
The vendor may suffer a data breach, exposing tokens that grant access to your data
Nobody is monitoring whether the application is still behaving as expected

The risk: Dormant OAuth connections are forgotten backdoors. An application an employee used once, two years ago, may still have full access to their email and files.

3. Consent Phishing Attacks

Consent phishing (also called OAuth phishing or illicit consent grant attacks) is a growing attack vector where attackers create malicious applications designed to trick users into granting OAuth access.

The attack flow:

Attacker creates a legitimate-looking application (e.g., "IT Security Scanner" or "DocuSign Update")
Attacker sends a targeted email with a link to the OAuth consent screen
Employee clicks "Allow," thinking it's a legitimate request
Attacker now has persistent OAuth access to the employee's data — no password stolen, no malware installed, no traditional indicators of compromise

Why this is hard to detect: Unlike traditional phishing that steals credentials, consent phishing doesn't trigger password alerts, MFA challenges, or login anomaly detection. The employee authenticated legitimately. The access grant looks like any other OAuth connection.

The risk: A single successful consent phishing attack can give an attacker persistent read/write access to email, files, and calendar data. Because it uses legitimate OAuth, it bypasses most security controls.

4. Shadow OAuth Grants

When employees use their corporate Google or Microsoft account to sign into third-party applications, they create OAuth connections that are invisible to most security tools. This is a subset of the broader shadow IT problem. These shadow OAuth grants:

Are not tracked in any IT inventory
Are not subject to security review
May grant access to sensitive corporate data
Persist indefinitely unless discovered and revoked

The risk: Shadow OAuth grants are the intersection of shadow IT and OAuth security. They combine the visibility challenge of shadow IT with the persistent access risk of OAuth, creating blind spots that are difficult to detect and remediate.

5. Token Theft and Replay

OAuth tokens can be stolen through several vectors:

Compromised third-party application: If a SaaS vendor's infrastructure is breached, attackers can steal stored OAuth tokens
Insecure token storage: Some applications store OAuth tokens in plaintext or weakly encrypted formats
Man-in-the-middle attacks: On improperly configured networks, tokens can be intercepted during transmission
Malicious browser extensions: Browser extensions can intercept OAuth flows and steal tokens

The risk: A stolen OAuth token provides direct access to the user's data without requiring their credentials or triggering MFA. Token-based access is often indistinguishable from legitimate application activity in log files.

Real-World OAuth Attack Scenarios

Scenario 1: The Compromised Productivity Tool

A mid-market company uses a popular task management application. 80 employees have granted it OAuth access to Google Workspace with "read and send email" and "manage Drive files" permissions.

The task management vendor suffers a data breach. Attackers extract OAuth tokens from the vendor's database. Within hours, they:

Download sensitive documents from 80 employees' Google Drive accounts
Set up email forwarding rules to exfiltrate ongoing communications
Use the "send email" permission to send phishing emails from legitimate corporate addresses

Impact: Massive data exfiltration, compromised email, and the ability to impersonate employees — all from a single vendor breach.

Scenario 2: The Consent Phishing Campaign

An attacker creates an application called "Microsoft Security Alert" that requests OAuth access to Microsoft 365. They send targeted emails to employees at a financial services company.

12 employees click "Allow." The attacker now has access to their email and OneDrive files. They:

Read emails containing client financial data
Download confidential merger documents from OneDrive
Monitor email for sensitive information over the next three months

Impact: The attack is discovered only when a client reports suspicious activity. By then, months of confidential data have been exfiltrated. No malware was installed, no credentials were stolen, no traditional alert was triggered.

Scenario 3: The Departed Employee's OAuth Legacy

A senior product manager leaves the company. IT disables their Google Workspace account. But over two years of employment, they granted OAuth access to 15 third-party applications.

Several of these OAuth tokens remain valid even after the IdP account is disabled (depending on the vendor's implementation). Data that was synced to third-party applications remains accessible. One of the applications — a note-taking tool — contains detailed product roadmaps and competitive analysis.

Impact: Sensitive strategic data remains in uncontrolled third-party applications long after the employee leaves. A comprehensive SaaS offboarding process is essential to prevent this.

How to Audit Your OAuth Environment

A systematic OAuth audit should be performed quarterly at minimum. Here's how:

Step 1: Inventory All OAuth Grants

Pull a complete list of OAuth grants from your identity provider:

Google Workspace: Admin Console → Security → API Controls → Third-party app access
Microsoft 365: Azure AD → Enterprise Applications → User consent grants
Okta: Admin → Applications → View OAuth grants

Document each grant with: application name, user, permissions scope, date granted, last used.

Step 2: Classify by Risk

Evaluate each OAuth-connected application against these criteria:

Risk Factor	Low Risk	Medium Risk	High Risk
Permissions	Read-only, limited scope	Read-write, moderate scope	Full access to email/files/admin
Vendor security	SOC 2 certified, established vendor	Known vendor, no certification	Unknown vendor, no security info
User count	1-2 users	3-10 users	10+ users
Data sensitivity	No sensitive data access	Accesses some sensitive data	Accesses PII, financial, or IP
Activity status	Active, regular use	Intermittent use	Dormant (no use in 90+ days)

Step 3: Remediate

Based on your risk classification:

High risk + dormant: Revoke immediately. No business justification for maintaining access.
High risk + active: Review with the application owner. Reduce scope if possible. If the vendor doesn't support reduced scopes, evaluate alternatives.
Medium risk + dormant: Revoke. Notify the user in case they want to re-authorize.
Medium risk + active: Monitor. Include in regular review cycle.
Low risk: Document and monitor.

Step 4: Implement Ongoing Controls

After the initial audit, implement controls to prevent the same problems from recurring:

Configure OAuth consent policies in your IdP to require admin approval for high-risk scopes
Enable alerts for new OAuth grants, especially those requesting broad permissions
Block OAuth grants from unverified or unknown applications (Google Workspace supports this)
Review new OAuth grants weekly as part of security operations

Building an OAuth Governance Policy

A practical OAuth governance policy should cover:

Scope Definitions

Define acceptable and unacceptable OAuth scopes:

Always blocked (require security review and exception approval):

Full email access (read, write, send, delete)
Admin-level permissions
Full drive/file access
Ability to modify security settings

Allowed with approval:

Read-only email access
Calendar read/write
Limited drive access (specific folders)
Profile and contact information

Auto-approved:

Basic profile information (name, email)
Single sign-on (authentication only, no data access)

Application Vetting

Before approving an OAuth-connected application:

Verify the vendor's identity and reputation
Review the application's privacy policy and terms of service
Confirm the application has appropriate security certifications (SOC 2, ISO 27001)
Verify the application requests only necessary permissions
Check for a Data Processing Agreement if the app processes personal data (GDPR requirement)
Assess the vendor's breach notification commitments

User Education

Most OAuth security incidents start with users who don't understand what they're authorizing. Include in your security awareness training:

How to read an OAuth consent screen
Red flags to watch for (overly broad permissions, unfamiliar applications, urgent/threatening language)
The process for requesting approval for new applications
Examples of consent phishing attacks and how to recognize them

Incident Response

Add OAuth-specific scenarios to your incident response playbook:

Suspected consent phishing: How to identify affected users, revoke malicious grants, and assess data exposure
Vendor breach with OAuth exposure: How to identify affected tokens, revoke them, and assess what data was accessible
Unauthorized OAuth grant discovered: How to investigate, contain, and remediate

Automated OAuth Monitoring

Manual OAuth audits are necessary but not sufficient. The OAuth landscape changes daily as employees grant new permissions. Automated monitoring fills the gap:

What to Monitor

New OAuth grants: Alert when any employee authorizes a new third-party application
High-risk scope requests: Immediately flag applications requesting email, admin, or full-drive access
Unrecognized applications: Alert on OAuth grants to applications not in your approved vendor list
Dormant token activation: Flag when a previously inactive OAuth connection starts accessing data
Scope changes: Alert when an application requests additional permissions beyond its original grant

How SaaS Management Platforms Help

SaaS management platforms that integrate with Google Workspace and Microsoft 365 can provide:

Continuous visibility into all OAuth-connected applications
Automatic risk scoring based on permission scope, vendor reputation, and usage patterns
Alerts for new and changed OAuth grants
Historical analysis of OAuth grant trends
Integration with your incident response workflow

This visibility is the foundation of OAuth governance. Without it, you're relying on manual audits that are outdated before they're finished.

The Bottom Line

OAuth is a convenience that has become a systemic security risk. Every "Sign in with Google" click creates a persistent connection between your corporate data and a third-party application that may or may not deserve that access.

The solution is not to block OAuth entirely — that would break modern SaaS workflows. The solution is visibility, governance, and continuous monitoring:

Visibility: Know every OAuth connection in your environment
Governance: Control which applications can request access and what scopes are permitted
Monitoring: Detect new grants, dormant tokens, and suspicious activity in real time

Most organizations start with an audit that reveals far more OAuth connections than anyone expected. That moment of discovery is the beginning of real OAuth security. European companies should also consider how OAuth governance fits into NIS2 compliance and broader SaaS security strategy.

Want to see every OAuth connection in your environment? Book a demo and get a complete OAuth risk assessment in 15 minutes.