What is OAuth?
Simply put, OAuth is a way of granting a 3rd party web application access to your private data in the cloud, without having to tell the 3rd party web application your username/password. For example, if you book a flight online using the airline's website, the website might offer to create a calendar event with all the flight data directly in your Google calendar. One way to do this is to tell the airline your Google username/password so they can “log in to Google as you” and then create the calendar event for you. But giving somebody your password is certainly a bad idea. The better method is using OAuth. This means, the flight booking site would ask you to log into Google and then Google would give the flight booking site a pass code (called an “OAuth access token”). The flight booking app can now use this access token to add the event to your calendar. This access token expires typically after one hour and is only usable for a specific “scope” (e.g. only your Google calendar but not your Google contacts, Gmail, etc.). There is also another variation where you grant a 3rd party app access forever - or at least until you explicitly "revoke" access. This variation is usually referred to as "Offline Use" or "Refresh Token".
Why is a simple calendar utility trying to access my Google Drive and Gmail?
The Myths About OAuth
- Statements like "our app is secure since we are using OAuth" are misleading and false. OAuth itself doesn't make a 3rd party app "secure". OAuth only solves the problem of not having to share your username/password with that 3rd party app. That's all.
- By consenting to use OAuth, you are still giving a 3rd party of access to your data, which they "hopefully" only use as promised, but you have no guarantee.
- With the access token (or even worse the refresh token), the 3rd party app has a "golden ticket" to access your data - you never know how securely the developers of the 3rd party app are storing this token. For instance, if the 3rd party app is designed poorly, a vengeful developer at the airline company could steal all tokens in the database and get access to all customer data. To pretend this can’t, or hasn't happened, would be misguided.
The bottom line is, consenting to use OAuth is a matter of trust; it is not a guarantee for security. You are trusting the 3rd party application not to abuse the privileges you are giving them and that they have implemented effective security controls.
OAuth in Your (Cloud-)Company?
OAuth can be a challenge for your corporate information security since, let’s be honest, the average user typically consents to everything without thinking too much. And before you know it, your Google Apps and Salesforce users undermined your security policy by giving this handy app called “lovely kittens” access to Google Drive or your financial data in Salesforce.
So should you prohibit OAuth in your company in general? Most likely, you can’t since many system integrations rely on this standard. For instance, without OAuth, you would not be able to access Google Apps from your mobile phone or run Salesforce 1. All you can do is educate and monitor. For instance:
- Create awareness about this issue in your company. Make sure everyone understands what “scope” means and that they should always be suspicious of 3rd party apps. Scopes like “Profile Information” or “Email Address” are harmless, whereas “Gmail” or Google Drive” are obviously dangerous.
- Every user should check their Google account permissions and the section “OAuth Connected Apps” in their Salesforce user page. Here, they can revoke access to suspicious 3rd party apps.
- If you have to comply to specific information security standards, you probably have to monitor all your business systems rather than rely on your user’s prudence. Google Apps just released new features that help admins monitoring what’s going on.
- Take advantage of tools like Cloudlock and Flashpanel. They do a great job monitoring & whitelisting/blacklisting 3rd party apps, thanks to Google’s Directory API.
- Salesforce provides a page in the admin console where you can view and block all “Connected OAuth Apps” (Setup | Manage Apps | Connected Apps OAuth Usage). A SOQL query like SELECT count(id), Application FROM LoginHistory GROUP BY Applicationdelivers similar information and could be used in a n automated monitoring solution. I’m not aware of a way to explicitly whitelist/blacklist apps in Salesforce.
- If you are rolling out a service that requires your users to grant access to your corporate apps via OAuth, make sure the provider of the service has more to offer than a generic security statement saying that the app is secure because they are using https and OAuth.