Analisador de Scopes OAuth
Analise scopes OAuth 2.0 para sobre-permissão e violações de mínimo privilégio
Analyzing OAuth 2.0 Scopes for Least-Privilege Violations
OAuth 2.0 scopes control what permissions an application requests from a user or service. Over-scoped tokens — requesting admin access when read-only suffices, or requesting write+delete when only write is needed — violate the principle of least privilege and increase the blast radius of token compromise. The OAuth Scope Analyzer examines your scope lists against provider-specific knowledge bases to detect over-permission patterns, dangerous scope combinations, and scope creep that accumulates as applications evolve.
Paste your OAuth scopes (space or comma separated) and select the provider (GitHub, Google, Azure AD, or Okta) to receive a detailed analysis of permission levels, dangerous combinations, and least-privilege alternatives for each overly broad scope. All processing happens entirely in your browser — your scope configurations never leave your device.
Over-Permission Detection
The analyzer identifies scopes that grant more access than typically needed:
- Admin when read suffices:
repo(full access) whenrepo:statusorpublic_repowould work - Write when read suffices:
user:emailgrants read, butusergrants read+write to profile - Broad access to specific need:
https://www.googleapis.com/auth/drive(full Drive) whendrive.file(only app-created files) suffices - Wildcard scopes: Scopes like
*orallthat grant unrestricted access
For each over-permission, the analyzer suggests the narrowest scope that still enables the intended functionality.
Dangerous Scope Combinations
Some scope combinations create compound risks greater than individual scopes suggest:
- Read + Delete: A compromised token with both read and delete access enables data exfiltration followed by evidence destruction
- User impersonation + API access: Combined scopes that allow acting as any user while accessing sensitive APIs
- Admin + No MFA requirement: Administrative scopes without additional authentication factors create single-point-of-failure risks
- Cross-service escalation: Scopes spanning multiple services that together enable lateral movement
Provider-Specific Analysis
Each OAuth provider has unique scope semantics and hierarchies:
- GitHub:
repoincludes all sub-scopes (status, deployment, public_repo),admin:orggrants organization management - Google: URL-based scopes with varying granularity (drive vs drive.file, gmail.readonly vs gmail.compose)
- Azure AD: Application vs delegated permissions with different consent requirements and admin consent flows
- Okta: Custom scopes with claim-based access tokens and authorization server policies
The analyzer understands provider-specific scope hierarchies to detect implicit permissions granted by broad scopes that include narrower ones. For GitHub, requesting repo implicitly includes repo:status, repo_deployment, and public_repo — the analyzer detects when these implicit grants exceed the application's actual needs. For Google APIs, the analyzer maps URL-format scopes to their human-readable equivalents and identifies when restricted scopes (requiring app verification) are used unnecessarily.
Token Lifecycle and Scope Reduction
The analyzer also evaluates scope configurations against token lifecycle best practices:
- Refresh token scope inheritance: Refresh tokens inheriting overly broad scopes persist elevated access beyond the original session
- Incremental authorization: Requesting all scopes upfront rather than incrementally as features are used increases risk exposure from day one
- Scope reduction on renewal: Token refresh operations that could request narrower scopes but default to the original broad set
- Short-lived vs long-lived tokens: Broad scopes on tokens with extended expiration create persistent attack surfaces
Best practice is to request the minimum scopes required for the current user action and expand incrementally when additional permissions are needed. The analyzer provides a suggested timeline of which scopes to request at each stage of user interaction.
Code Examples
GitHub OAuth Scope Analysis
# Input scopes:
repo admin:org user delete_repo workflow
# Analysis:
# - CRITICAL: "delete_repo" — allows permanent repository deletion
# - HIGH: "admin:org" — full organization management (members, teams, settings)
# - WARN: "repo" — grants write to all repositories; consider "public_repo" or "repo:status"
# - WARN: "workflow" — allows modifying GitHub Actions (supply chain risk)
# - INFO: "user" — includes user:email implicitly
# Recommendations:
# If app only reads CI status: Replace "repo" with "repo:status"
# If app only needs org membership: Replace "admin:org" with "read:org"
# If app never deletes repos: Remove "delete_repo"
# Security score: 3/10 (over-permissioned)