Google updates OAuth incremental authorization

Google makes it simpler for users to grant a third-party app access to Google Account data.

Why hackers are targeting web servers with malware and how to protect yours

Google has simplified the OAuth authorization process for users who give a third-party app access to Google apps such as Docs and Drive. 

The update, though minor, makes it possible for users to approve access to data in a Google Account a single-tap process that's friendlier for smartphones. 

OAuth is a widely supported standard for giving apps access to account information. It has been abused by attackers in the past and forced Google to introduce stricter rules for developers who use it to connect to Google apps. Today, it requires all third-party apps use OAuth to request access to Google Account data.

SEE: BYOD security warning: You can't do everything securely with just personal devices

The current change is aimed at developers of web apps that use incremental authorization – a feature available from Google's authorization server that lets developers request access to a certain "scope" of resources. 

Google recommends that permission requests are made at the time access is required rather than upfront, such as when an app saves an event to Google Calendar. The request should only be made after the user presses the 'Add to Calendar' button. 

Now, instead of checking a box and clicking 'continue' when granting access, users can just press continue for that single scope. 

It's a continuation of work Google has done for how users can give consent to third-party apps to access Google Account data. In 2019, it introduced fine-grained controls with one screen for each scope requested. This July, it consolidated multiple permission requests into a single screen. 

Google explains that developers don't need to update their apps to support the simpler approval process, but it does recommend they implement incremental authorization. 

SEE: A company spotted a security breach. Then investigators found this new mysterious malware

"There is no change you need to make to your app. However, we recommend using incremental authorization and requesting only one resource at the time your app needs it," notes Google in a blogpost

"We believe that doing this will make your account data request more relevant to the user and therefore improve the consent conversion."

image-1-v3.png

Google