What is an OAuth Token?
OAuth tokens — access, refresh, and ID tokens — are the credentials of modern delegated authorization. Learn what each does and how to secure them.
What is an OAuth Token?
Definition
An OAuth token is a credential issued by an authorization server that allows a client (application) to access protected resources on behalf of a user or as itself.
OAuth 2.0 defines several token types:
- Access token — short-lived; used to call APIs.
- Refresh token — longer-lived; used to obtain new access tokens.
- ID token (OpenID Connect) — describes the authenticated user; used for sign-in.
OAuth tokens are the foundation of modern delegated authorization across SaaS, cloud, mobile, and enterprise applications.
In simple terms:
An OAuth token is a time-bound permission slip an app uses to call APIs on someone's behalf.
Why It Matters
- OAuth is the dominant authentication / authorization standard for APIs.
- Tokens are everywhere — every signed-in app, integration, agent has them.
- Compromised tokens enable account takeover, data theft, lateral movement.
- Recent breaches (Storm-0558, Okta 2023, Microsoft) exploited OAuth tokens / signing keys.
- Token hygiene (storage, rotation, scope) is core identity security work.
OAuth Token Types
1. Access Token
- Short-lived (typically 5 min – 1 hour).
- Sent with API calls (
Authorization: Bearer <token>). - Includes scopes (claims) defining what's allowed.
- Often a JWT (verifiable offline) or opaque (verified by introspection).
2. Refresh Token
- Longer-lived (days, months, sometimes indefinite).
- Used to obtain new access tokens without re-authentication.
- Stored carefully (it's the long-lived credential).
- Can be rotated on each use.
3. ID Token (OpenID Connect)
- JWT describing the authenticated user.
- Used for sign-in (not for API calls).
- Audience-bound to the client.
4. Token in OBO (On-Behalf-Of)
- Service exchanges incoming user token for one to call downstream API as the user.
5. Service-to-Service Tokens
- Client credentials flow — no user; client_id + client_secret → access token.
OAuth Flows (Where Tokens Come From)
Authorization Code (with PKCE)
Most secure, most common for users. App redirects user to IdP; user consents; IdP returns code; app exchanges for tokens.
Client Credentials
Service-to-service. Client presents client_id + client_secret → access token. No user involved.
Device Code
For input-constrained devices (TVs, CLIs).
Implicit (Deprecated)
Returned tokens directly in URL — phased out for security.
Resource Owner Password Credentials (Deprecated)
User gives password to client — anti-pattern.
Common Risks
1. Token Theft
- Stolen via XSS, MITM, malware, phishing, browser extension, vendor breach.
2. Refresh Token Compromise
- Long-lived → adversary maintains persistent access.
3. Over-Permissioned Scopes
- Apps granted broader scopes than needed.
4. Consent Phishing
- Adversary tricks user into granting OAuth consent to malicious app.
5. Token Replay
- Captured token reused; weak audience binding.
6. Token Logged
- Tokens in logs / errors / URLs.
7. Storage Vulnerabilities
- Tokens in localStorage / cookies vulnerable to XSS.
8. Token Signing Key Compromise
- Microsoft Storm-0558: signing key stole → forged tokens.
9. Stale OAuth Grants
- Apps granted years ago, no longer used, still active.
10. Cross-Tenant Token Misuse
- Multi-tenant apps mishandling tokens across tenants.
Real-World Examples
1. Storm-0558
Adversary obtained Microsoft signing key; forged ID/access tokens; accessed government Exchange Online mailboxes. Mitigation: signing key rotation; key access controls; audit hardening.
2. Okta 2023
OAuth tokens / session cookies stolen from support portal → cross-tenant impact. Mitigation: defense-in-depth; better support tooling.
3. Consent Phishing
User received "Microsoft Login" prompt; granted broad scopes to malicious app; adversary read mail. Mitigation: app consent governance; admin consent for risky scopes; user education.
4. Refresh Token Theft
Mobile app stored refresh token in plaintext; rooted device leaked. Mitigation: refresh token rotation; secure enclave storage.
5. Stale OAuth Grant Abuse
Vendor app granted in 2019; vendor compromised in 2024; old grant abused. Mitigation: quarterly OAuth grant review; revoke unused.
Best Practices
Token Lifecycle
- Short-lived access tokens (≤ 1 hour).
- Refresh token rotation on each use.
- Refresh token expiry (sliding or absolute).
- Audience binding (
audclaim). - Nonce / sub-binding to client.
Storage
- Backend — secret manager.
- Web frontend — httpOnly secure cookies; not localStorage.
- Mobile — secure enclave / keychain.
- CLI — OS credential vault.
Scope Management
- Least privilege scopes.
- Per-tenant or per-resource when possible.
- Admin consent for risky scopes.
- Quarterly review of granted scopes.
Consent Governance
- App publisher verification.
- Block unverified publishers for sensitive scopes.
- User education on consent prompts.
- Quarantine newly granted apps for review.
Monitoring
- Anomaly detection on token use (geo, time, volume).
- Sign-in risk policies (Conditional Access).
- OAuth grant audit (Microsoft Defender for Cloud Apps, Forestall).
Revocation
- Quick revocation capability.
- Practiced incident response for compromised tokens.
Signing Keys
- HSM-backed signing keys.
- Rotation cadence.
- Strict access controls + audit.
Checklist
- Short-lived access tokens?
- Refresh token rotation?
- Refresh token expiry?
- Audience binding?
- Tokens stored securely (no localStorage / no plaintext)?
- Least-privilege scopes?
- Admin consent for risky scopes?
- App publisher verification?
- Quarterly OAuth grant review?
- Anomaly detection on token use?
- Conditional Access / sign-in risk policies?
- Quick revocation playbook?
- HSM-backed signing keys + rotation?
How Forestall Helps
Forestall:
- Inventories OAuth grants across SaaS / cloud.
- Identifies over-permissioned grants.
- Surfaces stale / unused grants.
- Detects suspicious token usage patterns.
- Tracks remediation.
Frequently Asked Questions
Is OAuth more secure than API keys?
Yes — short-lived, scoped, revocable, auditable. But misuse / misconfig / phishing remain risks.
What's the difference between an access token and refresh token?
Access = short-lived API credential. Refresh = longer-lived; used to get new access tokens.
Should I store refresh tokens at all?
If your app needs ongoing access without re-prompting, yes — but store securely (secret manager, secure enclave, encrypted at rest).
Can I trust JWT tokens offline?
Yes if signature verified against trusted issuer key, claims validated (iss, aud, exp, nbf), and key rotation handled.
What about token binding?
Emerging standards (DPoP, MTLS-bound tokens) bind tokens to client to prevent replay. Adopt where supported.
Conclusion
OAuth tokens are the credentials of modern delegated authorization — short-lived access tokens, longer-lived refresh tokens, and ID tokens for sign-in. Manage them carefully: short lifetimes, secure storage, scoped consent, anomaly detection, quarterly review, and signing key hygiene. Done right, OAuth gives you secure, fine-grained, revocable access control across humans, workloads, and AI agents.
Govern OAuth tokens across your workforce and workloads.
Forestall surfaces over-permissioned OAuth grants and stale refresh tokens.