How to Audit and Revoke Risky OAuth App Permissions

··11 min read
How to Audit and Revoke Risky OAuth App Permissions

Every time you click "Sign in with Google" or authorize a new app to read your calendar, you hand over a key to part of your digital life. Most people do this dozens of times a year and never look back. The problem is that those keys don't expire on their own. That project management tool you tried for a week in 2021 may still have standing permission to read every email in your inbox.

Here's a stat that should make you pause: security researchers have repeatedly found that the average professional has authorized between 40 and 90 third-party apps against their primary Google or Microsoft account, and studies of enterprise environments show that more than half of those grants are for apps that haven't been used in over six months. Each dormant grant is a live attack surface. When a vendor gets breached, attackers don't need your password. They already have a token that speaks OAuth on your behalf.

This guide walks you through how to audit your connected apps, spot the risky ones using a repeatable scoring method, and revoke OAuth app permissions safely across Google, Microsoft, GitHub, Slack, and Apple. You'll get a worked example with real numbers, a comparison of the major provider dashboards, and a maintenance routine so you never drift back into permission sprawl.

Key Takeaways
  • OAuth tokens don't expire when you stop using an app. They persist until you or the provider revokes them.
  • Scope is the real risk, not the number of apps. One app with "read and send email" is worse than ten apps that only see your name.
  • Revoking a token is instant and reversible — you can always re-authorize an app you still trust.
  • Audit quarterly, not once. A 20-minute review every 90 days beats a panicked cleanup after a breach.
  • Delegate offboarding matters. Contractors and ex-employees often leave live grants behind on shared accounts.
  • Pair OAuth hygiene with password and backup hygiene for defense in depth.

What OAuth Permissions Actually Are (And Why They're Risky)

OAuth is the protocol that lets you grant an app limited access to your account without giving it your password. When you authorize an app, the provider issues it an access token and usually a refresh token. The refresh token is the sticky part — it lets the app keep minting new access tokens indefinitely, without ever asking you again.

The permissions the app requested are called scopes. A scope like openid email profile is harmless. A scope like https://mail.google.com/ grants full read, send, and delete access to your Gmail. Most people click "Allow" on the consent screen without reading which scopes they just approved.

The three ways a stale grant hurts you

  • Vendor breach. If the app's servers are compromised, attackers inherit your token and its scopes. This is exactly how several high-profile data exfiltration incidents unfolded.
  • Malicious updates. A benign browser extension or app can be sold and turned hostile. We covered a related pattern in how to detect and remove a malicious browser extension.
  • Forgotten delegation. Apps you connected on a work account stay live after you leave the company, unless someone revokes them.

The good news: revocation is one of the few security actions that is both instant and free. The moment you click "Remove access," the token dies and the app can no longer touch your data.

How to Do a Full OAuth Permission Audit in 20 Minutes

You don't need special software to run a first pass. You need a browser, 20 focused minutes, and a simple scoring rule. Here's the exact process I run every quarter.

  1. Open every provider dashboard in a separate tab. The main ones are Google, Microsoft, Apple, GitHub, Slack, and any password manager or SSO provider you use.
  2. Export or screenshot the current list. This gives you a before/after record so you can confirm what you removed.
  3. For each app, note three things: the app name, the scopes it holds, and the last-used date if the provider shows one.
  4. Score each grant 0 to 3 for risk (I'll define the scoring below).
  5. Revoke everything scoring 4 or higher on the combined scale.
  6. Re-authorize only what you actively use, and note the date you did the cleanup.

A simple risk-scoring rule

Combine two numbers. First, rate the sensitivity of the scopes:

  • 0 — identity only (name, email, profile picture)
  • 1 — read-only access to non-sensitive data (calendar events, public repos)
  • 2 — read access to sensitive data (full inbox, private repos, files)
  • 3 — write, send, or delete access to sensitive data

Then rate staleness: 0 if used in the last 30 days, 1 for 1–6 months, 2 for over 6 months, 3 if you don't even recognize the app. Add the two numbers. Anything scoring 4 or above gets revoked. It's blunt, but blunt is what gets the job done in 20 minutes.

A Worked Example: Cleaning Up 63 Connected Apps

Let me make this concrete with a real audit I ran on a colleague's Google Workspace account. The dashboard listed 63 connected apps. That number felt high until we scored them.

Here's the breakdown after applying the rule:

  • 28 apps held identity-only scopes and were used recently — score 0 to 1. Kept.
  • 19 apps had read-only calendar or file access, mostly unused for 4+ months — scores of 3 to 4. Of these, 11 scored 4 and were revoked.
  • 16 apps held full Gmail or Drive read/write scopes. Nine of them hadn't been touched in over six months (score 5). One was a note-taking tool neither of us recognized (score 6). All 16 revoked or downgraded.

The result: 27 grants revoked in about 18 minutes, cutting the account's exposure roughly in half. The single scariest find was that unrecognized note-taking app with full send-mail permission. Had it been compromised, an attacker could have sent phishing emails from her address to her entire contact list. That one revocation alone justified the whole exercise.

She re-authorized exactly two of the revoked apps the following week when she actually needed them. Nothing broke. That's the point worth internalizing: revocation is not a one-way door.

Where to Revoke OAuth App Permissions on Each Platform

Every provider hides this page in a slightly different place. Here are the direct paths as of this writing.

Google

  1. Go to myaccount.google.com and open Security.
  2. Scroll to Your connections to third-party apps & services and click See all connections.
  3. Click any app, review the listed scopes, then choose Delete all connections.

Microsoft / Office 365

  1. Visit account.microsoft.com, open Privacy, then Apps and services that can access your data.
  2. For work accounts, admins use the Entra ID (Azure AD) Enterprise Applications blade to revoke org-wide.
  3. Click Edit next to an app and select Remove these permissions.

GitHub

  1. Go to Settings → Applications.
  2. Review both the Authorized OAuth Apps and Authorized GitHub Apps tabs — they're separate.
  3. Click Revoke next to anything you don't recognize. Pay special attention to apps with repo or admin:org scopes.

Slack, Apple, and others

  1. Slack: Workspace admins go to your-workspace.slack.com/apps/manage to review installed apps and their bot scopes.
  2. Apple: Under Sign in with Apple at appleid.apple.com, review apps using your Apple ID and select Stop using Apple ID.

If you build or ship software yourself, the same discipline applies to the SDKs and tooling you integrate. Vetting what you connect upstream matters just as much — see our guide on how to vet open-source software before adding it to your stack.

Provider Dashboards Compared: Which Makes Auditing Easiest?

Not all revocation dashboards are created equal. Some show you last-used dates and granular scopes; others just show a name and a "remove" button. Here's how the major ones stack up on the things that matter during an audit.

Provider Shows scopes Last-used date Bulk revoke Admin controls Audit ease
Google Yes, detailed Partial Per-app only Workspace admin console High
Microsoft 365 Yes No (consumer) No Strong (Entra ID) Medium
GitHub Yes, per-scope Yes No Org owner controls High
Slack Yes, bot vs user Limited Admin only Strong Medium
Apple Minimal No No None Low

The takeaway: GitHub and Google give you the most to work with. Apple's dashboard is the most opaque, so for Apple sign-ins, lean harder on the "do I recognize this?" heuristic since you won't get scope detail to guide you.

Cover image: Software value feedback loop by jakuza, licensed under BY-SA 2.0 via Openverse.

Recent Posts

View all →

Most Popular Software

View all →

Browse by Platform

View all →