OAuth Scope Analyzer
Analyze OAuth 2.0 scopes for over-permission patterns, scope creep, and least-privilege violations across GitHub, Google, Azure AD, and Okta
Enter your OAuth 2.0 scopes to analyze for over-permission patterns and least-privilege violations
What is the OAuth Scope Analyzer?
The OAuth Scope Analyzer is a client-side tool that examines your OAuth 2.0 scope requests for over-permission patterns, dangerous combinations, and least-privilege violations. It supports scopes from GitHub, Google, Azure AD, and Okta, calculates a security score, and provides actionable recommendations to reduce your application's permission footprint.
How to Use
- Paste your OAuth scopes into the input area (space, newline, or comma separated)
- Click "Analyze Scopes" or wait for automatic processing
- Review findings with severity ratings (Critical, High, Medium, Low)
- Check least-privilege alternatives for over-permissive scopes
- Export a full report in JSON or Markdown format
Example: Over-Permissive GitHub Scopes
This scope set demonstrates common over-permission patterns:
repo
admin:org
delete_repo
user
write:packages
admin:repo_hookWhat Issues Are Detected?
- Admin scopes — Full control when read-only access would suffice (e.g., admin:org vs read:org)
- Scope creep — Excessive number of scopes indicating accumulated permissions
- Dangerous combinations — Write + delete access creating data destruction risk
- Provider-specific risks — Known risky scopes for GitHub, Google, Azure AD, and Okta
- Write over read — Write-level scopes where read-only alternatives exist
- Unrestricted platform scopes — Cloud-wide access (e.g., Google cloud-platform)
Supported Providers
- GitHub — repo, admin:org, user, delete_repo, workflow, and 20+ scopes
- Google — Drive, Gmail, Calendar, Cloud Platform, Admin Directory scopes
- Azure AD — Directory, User, Mail, Files, Group, Application permissions
- Okta — Users, Groups, Apps, Authorization Servers, Policies management
- OIDC — Standard OpenID Connect scopes (openid, profile, email)
OAuth Scope Best Practices
- Request only the minimum scopes needed for each feature
- Use incremental authorization — request scopes as features are accessed
- Prefer read-only scopes unless write access is explicitly required
- Avoid admin/manage scopes unless the app genuinely manages those resources
- Never request delete scopes unless programmatic deletion is a core feature
- Review scopes periodically and remove unused permissions
- Use separate OAuth clients for different trust levels
Privacy and Security
All analysis happens entirely in your browser using JavaScript. Your OAuth scopes — which may appear alongside access tokens or in sensitive configuration — are never transmitted to any server. No data is stored, logged, or shared.
Frequently Asked Questions
What does the OAuth Scope Analyzer check?
The OAuth Scope Analyzer examines your OAuth 2.0 scopes for over-permission patterns including admin scopes where read-only access would suffice, excessive number of scopes (scope creep), dangerous combinations like write + delete access, and provider-specific risky scopes for GitHub, Google, Azure AD, and Okta. It calculates a security score and provides least-privilege alternatives.
What providers does the OAuth Scope Analyzer support?
The analyzer recognizes scopes from GitHub (e.g., repo, admin:org, delete_repo), Google APIs (e.g., drive, gmail.modify, cloud-platform), Azure AD (e.g., Directory.ReadWrite.All, Mail.ReadWrite), and Okta (e.g., okta.users.manage, okta.groups.manage). Standard OpenID Connect scopes (openid, profile, email) are also recognized. Unknown scopes are classified using heuristic pattern matching.
What is the principle of least privilege for OAuth scopes?
The principle of least privilege means requesting only the minimum scopes required for your application to function. For example, if your app only reads a user's repositories, use 'public_repo' or 'repo:status' instead of the full 'repo' scope. This reduces the blast radius if your access token is compromised and builds user trust by requesting minimal permissions.
What is OAuth scope creep?
Scope creep occurs when an application accumulates more OAuth permissions than it actually needs. This typically happens when developers request broad scopes 'just in case' or when features are removed but their scopes are not. The analyzer flags applications requesting more than 5 scopes as a warning and more than 10 as a high-severity issue.
Why are write + delete scope combinations flagged?
Combining write and delete scopes in the same token creates a significant security risk. If the token is leaked, an attacker can both modify and permanently destroy data. Best practice is to separate these capabilities into different credentials or require step-up authentication for destructive operations.
How should I format my OAuth scopes for analysis?
You can enter scopes separated by spaces (the standard OAuth format), newlines (one scope per line), or commas. The analyzer handles all three formats. For example: 'repo read:user user:email' or paste each scope on its own line.
Why is the Google cloud-platform scope flagged as critical?
The 'https://www.googleapis.com/auth/cloud-platform' scope grants unrestricted access to ALL Google Cloud resources in the project — compute, storage, databases, IAM, billing, and more. This is almost never appropriate for a single application. Use narrow, service-specific scopes like 'storage.readonly' or 'compute.readonly' instead.
Is my OAuth scope data sent to a server?
No. All analysis happens entirely in your browser using JavaScript. Your OAuth scopes and tokens are never transmitted to any server. No data is stored, logged, or shared. This is critical because OAuth scopes often appear alongside access tokens that could be exploited if leaked.