You have seen the buttons everywhere: "Sign in with Google," "Continue with Facebook," "Log in with GitHub." They are convenient. One click and you are in, no new password to create. But that click is a trust decision with real consequences. You are granting a third-party application access to your account data, and most people never read the permissions they are approving.

How OAuth Actually Works

OAuth 2.0 is a protocol that lets you grant a third-party application limited access to your accounts on another service without sharing your password. When you click "Sign in with Google" on a new app, here is what happens behind the scenes:

  1. The app redirects you to Google's login page (not the app's page).
  2. You authenticate directly with Google using your credentials.
  3. Google shows you a consent screen listing what the app is requesting access to.
  4. If you approve, Google sends the app a temporary access token that grants the specific permissions you authorized.
  5. The app uses this token to access your data through Google's API, without ever seeing your password.

The key security benefit is that the third-party app never receives your Google password. If the app is compromised, attackers get a limited token, not your full credentials. You can also revoke the token without changing your password.

Authentication vs. Authorization

These two concepts are often confused but are fundamentally different. Authentication answers the question "Who are you?" It verifies your identity. Authorization answers "What are you allowed to do?" It determines what resources you can access.

When you use "Sign in with Google," you are using Google for authentication (proving who you are) and simultaneously granting the app authorization (permission to access certain data). OAuth is primarily an authorization framework, though OpenID Connect, which is built on top of OAuth, adds a standardized authentication layer.

Understanding this distinction matters because an app might only need to authenticate you (confirm your identity) but requests authorization to access your contacts, calendar, or email. The authentication is reasonable; the broad authorization may not be.

What Permissions Are You Actually Granting?

OAuth permissions are called scopes, and they vary dramatically between applications. Some common scopes include:

  • Profile information (name, email, profile picture) is the minimum most apps request and is generally reasonable.
  • Email access lets the app read, send, or manage your email. A project management tool has no business reading your email.
  • Contact list access gives the app your entire address book, which is often used for "invite your friends" features but also for data harvesting.
  • Calendar access allows reading or modifying your calendar events, including meeting details, attendees, and locations.
  • Drive or file access lets the app read, create, or modify files in your cloud storage.
The 2018 Cambridge Analytica scandal demonstrated the danger of over-permissioned apps. A quiz app requested access to users' Facebook profiles and their friends' profiles, harvesting data from 87 million people for political targeting.

Reviewing and Revoking Connected Apps

Over time, you likely accumulate dozens of connected apps, many for services you no longer use. Each connected app is an active permission grant and a potential attack vector. Here is how to audit your connected apps on major platforms:

  • Google: Visit myaccount.google.com, navigate to Security, then "Third-party apps with account access." Review each app and remove any you do not recognize or no longer use.
  • Facebook: Go to Settings, then "Apps and Websites." Remove expired and inactive apps, and review the permissions of active ones.
  • GitHub: Visit Settings, then "Applications," then "Authorized OAuth Apps." Developers should be especially careful here, as GitHub tokens can grant access to private code repositories.
  • Microsoft: Go to account.microsoft.com, then "Privacy," then "Apps and services."

Make this review a quarterly habit. Set a calendar reminder. You will almost always find apps you forgot about that still have access to your data.

The Risks of Over-Permissioned Apps

The danger of granting broad permissions extends beyond data harvesting. If a third-party app is breached, the attacker inherits whatever permissions you granted. An app with read access to your Google Drive exposes all your documents. An app with email access could be used to send phishing messages from your account.

To protect yourself when using OAuth-based sign-in:

  1. Read the consent screen carefully before clicking "Allow." If a simple game wants access to your email and contacts, decline.
  2. Choose the minimum permissions when options are presented. Some apps offer "limited" vs. "full" access modes.
  3. Prefer established apps from reputable companies. A no-name app with five users requesting broad Google access is a red flag.
  4. Use a separate account for experimentation. If you want to try a new app but are unsure about its trustworthiness, use a secondary account with no sensitive data.
  5. Revoke access promptly when you stop using a service. Do not leave dormant permissions hanging around.

OAuth is a well-designed protocol that, when used correctly, improves security by eliminating password sharing. But the convenience of one-click sign-in can lead to careless permission grants. Treat every "Sign in with" button as a decision that deserves a moment of consideration.

Share this article