OAuth governance and consent phishing: What engineers need to know

Post Details

Company

WorkOS

Date Published

April 9, 2026

Author

Maria Paktiti

Word Count

2,113

Language

English

Hacker News Points

-

Source URL

workos.com/blog/oauth-governance-consent-phishing

Summary

Modern identity systems, which often rely on OAuth 2.0 and OpenID Connect, are vulnerable to consent phishing attacks that exploit user trust in familiar authorization processes. Consent phishing involves attackers registering legitimate-looking applications with identity providers like Microsoft Entra ID or Google Workspace, then tricking users into granting these applications access to sensitive data by mimicking routine authorization requests. Unlike traditional phishing, this method bypasses usual security measures since it occurs within legitimate domains and involves no password theft. Attackers gain persistent access through tokens that remain valid despite password changes, posing significant risks depending on the permissions granted. Defending against such attacks requires robust OAuth governance, including restricting user consent, implementing review processes for app approvals, auditing existing grants, monitoring for suspicious consent events, enforcing publisher verification, and managing token lifetimes. Security teams must treat OAuth integrations with the same scrutiny as other access control decisions to mitigate this growing threat, emphasizing the need for awareness and operational measures to close security gaps.