Enhancing Security for Third-Party Application Access and OAuth in Google Workspace

This guide provides Google Workspace administrators with a comprehensive overview of managing and securing third-party application access using OAuth, along with insights into monitoring related activities within the Google Admin console's Security Center. Understanding these mechanisms is crucial for maintaining a robust security posture within your organization's Google Workspace environment.

Understanding OAuth and Its Importance in Google Workspace Security

Open Authorization (OAuth) is an open standard that enables third-party services to access a user's account information without requiring the user's password. This method significantly enhances security by allowing applications to obtain a digital key for access, rather than direct password credentials.

OAuth scopes provide granular control, allowing applications to request specific, limited access to user data. Users must explicitly permit this access, ensuring that applications only have the necessary permissions.

Transitioning from Less Secure Apps to OAuth

To bolster account security, Google is transitioning away from less secure apps (LSAs) that use basic authentication (username and password) for accessing Google Accounts. Starting March 14, 2025, access to LSAs will be turned off for all Google Accounts for services like Gmail, Google Calendar, and Google Contacts. This includes protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP that rely on legacy passwords.

Organizations and users must switch to OAuth-supported access methods. This involves updating existing applications or migrating to new ones that support OAuth 2.0. Users who do not transition will encounter authentication errors once LSA access is discontinued.

Key actions for administrators and users:

• For Users:
  • Microsoft Outlook 2016 or earlier: Move to Microsoft Office 365 (web-based) or Outlook for Windows/Mac that support OAuth. Alternatively, consider Google Workspace Sync for Microsoft Outlook (GWSMO).
  • Mozilla Thunderbird or other email clients: Remove and re-add your Google Account, configuring it to use IMAP with OAuth.
  • iOS/macOS Mail, Calendar, Contacts apps: If signing in with only a password, remove and re-add your Google Account and select "Sign in with Google" to automatically use OAuth.
• For Scanners & Devices:
  • Configure devices to use OAuth.
  • Utilize alternative scanning/email sending methods.
  • Set up an App Password for the device if it doesn't support OAuth.
• For App Developers:
  • Update applications to use OAuth 2.0 for connecting to Google Accounts. Resources include "Using OAuth 2.0 to Access Google APIs" and "OAuth 2.0 for Mobile & Desktop Apps".

Google Sync, which does not support OAuth, is also being deprecated. New users will be unable to connect via Google Sync starting Summer 2024, and existing users will lose access by March 14, 2025.

Automatic OAuth 2.0 Token Revocation

For enhanced account security, OAuth 2.0 tokens issued for access to certain Google products are automatically revoked when a user's password is changed. This means that third-party mail applications (e.g., Apple Mail, Mozilla Thunderbird) and other applications using mail scopes will stop syncing data after a password reset until a new OAuth 2.0 token is granted. A new token is issued when the user re-authenticates with their Google account credentials.

This policy applies to third-party mail applications on mobile devices, aligning their behavior with native Gmail apps on iOS and Android which also require re-authentication post-password reset.

Important notes regarding token revocation:

• Applications built on Apps Script are not included in this token revocation process, even if they access mail.
• If a password change is initiated from an Android device, the OAuth token for that device's account sync is not revoked.
• Gmail IMAP sessions authenticated using OAuth are unaffected by a password change but are limited by the access token's validity period (typically 1 hour).
• This policy impacts access tokens and refresh tokens.
• Changing a password multiple times via the Directory API with the same hashed password (and salt, if applicable) will not trigger token revocation as it's not treated as a password change.
• The "Less secure apps" setting has no impact on tokens being revoked upon password change.

Monitoring OAuth Activity in the Security Dashboard

Google Workspace administrators can monitor OAuth grant activity and related security events through the Security Center's Dashboard in the Google Admin console. This capability requires the "Security center administrator" privilege.

To access these reports:

• Sign in to the Google Admin console with an administrator account.
• Navigate to Menu > Security > Security center > Dashboard.

The Security dashboard offers various reports for monitoring OAuth activities:

OAuth Log Events

Administrators can search and take action on OAuth log events to review which users are utilizing third-party mobile or web applications within the domain. This includes records of users opening Google Workspace Marketplace apps and third-party applications being authorized to access Google Account data (e.g., Google Contacts, Calendar, Drive files).

Search attributes for OAuth log events include:

• Actor group name
• Actor organizational unit
• API method
• API name
• Application ID
• Application name
• Client type
• Date
• Event (e.g., API call, Grant)
• IP address
• Number of response bytes
• Product
• Scope
• User

Data can be forwarded to Google Cloud Logging for more advanced querying and storage control.

OAuth Grant Activity Report

This report helps monitor the overall OAuth grant activity within your organization. It ranks activity by the growth in grants to applications over a selected time period compared to a previous period. You can view this activity broken down by application, by scope, or by user.

• To view this report, navigate to Security > Security center > Dashboard and click "View report" from the "OAuth grant activity" panel.
• The report can be customized by domain and date range.
• Data can be exported to a spreadsheet.

OAuth Grants to New Apps Report

This report specifically highlights new applications that have been granted OAuth access within a given time period. This is crucial for identifying new apps integrating with your Google Workspace environment.

• Access this report from the "OAuth grants to new apps" panel on the Security dashboard by clicking "VIEW REPORT".
• Similar to other reports, it can be filtered by domain.

OAuth Scope Grants by Product Report

This report provides insights into the number of OAuth scope grants over time, categorized by Google Workspace product. This allows administrators to understand which products are frequently granting specific OAuth scopes to applications.

• To view this report, go to the "OAuth scope grants by product" panel on the Security dashboard and click "View Report".
• Reports can be customized by domain and date range.
• Data can be exported to a spreadsheet.

These reports enable administrators to effectively track application access, identify potential security risks, and ensure compliance with organizational security policies regarding third-party integrations.

References

• OAuth log events - Google Workspace Admin Help
• Transition from less secure apps to OAuth - Google Workspace Admin Help
• Automatic OAuth 2.0 token revocation upon password change - Google Workspace Admin Help
• OAuth grant activity report - Google Workspace Admin Help
• OAuth grants to new apps report - Google Workspace Admin Help
• OAuth scope grants by product - Google Workspace Admin Help

Note: One of the provided URLs, https://support.google.com/a/answer/11609141, could not be accessed during the content generation process. All information in this guide is derived from the successfully browsed and accessible URLs.