Skip to content

OAuth Access Token

Service Name: OAuth 2.0 Authorization Framework

Service Description: OAuth 2.0 is an industry-standard protocol for authorization that enables third-party applications to obtain limited access to a user's account on an HTTP service. OAuth tokens are used across many services including Google, Microsoft, Facebook, Twitter, and others.

Service Address: https://oauth.net/2/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but may be implemented at the service provider level depending on the specific OAuth implementation.

Secret Access Scope: Grants access to specific resources or actions on behalf of a user, as defined by the scopes requested during authorization. The exact permissions depend on the service provider and the scopes granted.

Secret Revokement URL: Varies by provider. Most OAuth providers offer token revocation endpoints (e.g., Google: https://accounts.google.com/o/oauth2/revoke, Microsoft: https://login.microsoftonline.com/common/oauth2/v2.0/logout)

Secret Example: ya29.a0AfB_byDMkuXH7DZrxAQS3MXr9VqCnOgLMYSBjCpN2YzZQbQT8MEzD5KExampleToken

Suspicious Activity Investigation Instructions:

  • Review access logs from the OAuth provider for unusual login patterns or locations.
  • Check for unexpected application authorizations in the user's account settings.
  • Monitor for unusual API calls or data access patterns using the token.
  • Verify if the token has been used from unexpected IP addresses or devices.
  • Check for any changes in permissions or scope expansions.

Mitigation Instructions:

  • Immediately revoke the compromised OAuth token through the service provider's developer console or user settings.
  • Review and revoke any suspicious application authorizations in the user's account.
  • Reset the user's password as a precaution, as token theft might indicate broader account compromise.
  • Generate a new OAuth token with appropriate scopes if the application still needs access.
  • Implement token rotation and shorter expiration times for future tokens.
  • Consider implementing additional security measures like IP restrictions at the application level if supported.
  • Review application code to ensure tokens are being stored securely and not exposed in client-side code or logs.