The Everything Feed - All Packet Pushers Pods

PP094: Understanding OAuth and Reducing Authorization Risks

Jan 27, 2026
Guest
Aaron Turner
Guest
Rich Mogul
Aaron Turner, identity practitioner and IONS faculty member, and Rich Mogul, Cloud Security Alliance analyst and CloudSlaw creator, unpack OAuth fundamentals and risks. They cover token scopes and lifetimes. They discuss consent phishing, token replay, non-human identities and agent permissions. They explain secure token storage, tradeoffs in usability, and practical starting points for auditing IDPs and major SaaS.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ADVICE

Treat OAuth As Authorization

  • Remember OAuth is authorization: it grants scoped access via tokens, not primary authentication.
  • Protect access and refresh tokens and limit scopes to reduce risk.
ADVICE

Lock Down OAuth Scopes

  • Whitelist and explicitly allow only approved OAuth scopes in your IdP.
  • Prevent users from granting broad scopes that enable mass abuse.
INSIGHT

Tokens Live On Endpoints

  • OAuth tokens are often retrievable in cleartext on endpoints and can be scraped by info stealers.
  • Mobile OS vulnerabilities can expose many stored tokens at once.
Get the Snipd Podcast app to discover more snips from this episode
Get the app