Delegated Access Without Sharing Passwords
OAuth lets a user grant an application limited access to their account without handing over the password. The key control on how much access is granted is the scope.
What Scopes Do
A scope is a named permission the client requests, such as read contacts or send email. The authorization server shows the user a consent screen listing the requested scopes, and the issued access token carries only the scopes the user approved.
- Request the minimum scopes the feature actually needs.
- The user sees and consents to exactly what is requested.
- Resource servers enforce scopes on each call, rejecting actions outside them.
Defensive Practices
- Avoid broad scopes that read everything when a narrow one would do.
- Treat the consent screen as a security boundary, since users decide here.
- Re prompt for consent when an app asks for new scopes rather than silently widening access.
Key idea
Scopes bound what a token can do, and the consent screen lets the user approve exactly that, so request the least scope and always enforce scopes server side.