OAuth Access Token
Service Name: OAuth 2.0 Authorization Framework
Service Description: OAuth 2.0 is an industry-standard protocol for authorization that enables third-party applications to obtain limited access to a user's account on an HTTP service. OAuth tokens are used across many services including Google, Microsoft, Facebook, Twitter, and others.
Service Address: https://oauth.net/2/
Validation Type: API Auth
IP Allow list: Does not exist at the token level, but may be implemented at the service provider level depending on the specific OAuth implementation.
Secret Access Scope: Grants access to specific resources or actions on behalf of a user, as defined by the scopes requested during authorization. The exact permissions depend on the service provider and the scopes granted.
Secret Revokement URL: Varies by provider. Most OAuth providers offer token revocation endpoints (e.g., Google: https://accounts.google.com/o/oauth2/revoke, Microsoft: https://login.microsoftonline.com/common/oauth2/v2.0/logout)
Secret Example: ya29.a0AfB_byDMkuXH7DZrxAQS3MXr9VqCnOgLMYSBjCpN2YzZQbQT8MEzD5KExampleToken
Suspicious Activity Investigation Instructions:
- Review access logs from the OAuth provider for unusual login patterns or locations.
- Check for unexpected application authorizations in the user's account settings.
- Monitor for unusual API calls or data access patterns using the token.
- Verify if the token has been used from unexpected IP addresses or devices.
- Check for any changes in permissions or scope expansions.
Mitigation Instructions:
- Immediately revoke the compromised OAuth token through the service provider's developer console or user settings.
- Review and revoke any suspicious application authorizations in the user's account.
- Reset the user's password as a precaution, as token theft might indicate broader account compromise.
- Generate a new OAuth token with appropriate scopes if the application still needs access.
- Implement token rotation and shorter expiration times for future tokens.
- Consider implementing additional security measures like IP restrictions at the application level if supported.
- Review application code to ensure tokens are being stored securely and not exposed in client-side code or logs.