OAuth 2.0 and delegated access: are your controls keeping up?

TL;DR: OAuth 2.0 replaces password sharing with scoped, time-limited tokens for delegated access across user apps, mobile clients, CLI tools, and service-to-service integrations, according to WorkOS. The security issue is not the protocol itself but the operational mistakes that let token scope, storage, and revocation become identity risk.

NHIMG editorial — based on content published by WorkOS: What is OAuth 2.0? How modern apps get access to your data without your password

Questions worth separating out

Q: How should security teams implement OAuth 2.0 safely in production apps?

A: Start with Authorization Code plus PKCE for public clients, exact redirect URI matching, and full token validation.

Q: Why do OAuth integrations become NHI governance problems?

A: Because every token-bearing integration behaves like a non-human identity with its own ownership, permissions, and lifecycle.

Q: What do security teams get wrong about OAuth scopes?

A: They often treat consent as a one-time checkbox instead of a durable entitlement decision.

Practitioner guidance

• Standardise on Authorization Code plus PKCE Use Authorization Code plus PKCE for browser, mobile, and desktop clients, and reject new deployments that depend on implicit or password-based flows.
• Classify OAuth integrations as governable identities Build an inventory of every app, CLI, service account, and partner integration that can mint or refresh tokens.
• Tighten scope design and consent review Review consent prompts for least privilege and remove broad or bundled permissions that are not essential to the task.

What's in the full article

WorkOS's full article covers the implementation detail this post intentionally leaves for the source:

• Step-by-step walkthrough of the main OAuth grant types and where each one fits in real applications.
• Practical guidance on PKCE, refresh tokens, redirect URIs, and JWT validation for production deployments.
• Detailed comparison of legacy and modern OAuth flows, including where teams should avoid implicit and password-based approaches.
• Implementation notes for WorkOS AuthKit, CLI Auth, and managed OAuth/OIDC setup.

👉 Read WorkOS's guide to OAuth 2.0 delegation, tokens, and safe implementation →

OAuth 2.0 and delegated access: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →