<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=OAuth_Tokens_Are_Not_Passwords</id>
	<title>OAuth Tokens Are Not Passwords - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=OAuth_Tokens_Are_Not_Passwords"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=OAuth_Tokens_Are_Not_Passwords&amp;action=history"/>
	<updated>2026-07-11T15:39:50Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=OAuth_Tokens_Are_Not_Passwords&amp;diff=396&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;= OAuth Tokens Are Not Passwords = == Channels, Capabilities, and Risk in OAuth 2.0 Systems ==  &#039;&#039;&#039;Summary:&#039;&#039;&#039;   OAuth 2.0 access tokens are frequently treated as drop-in replacements for Basic Authentication credentials. While this can appear convenient, it collapses important architectural boundaries and recreates many of the very risks OAuth was designed to avoid. This article explains why OAuth access tokens should be treated as channel-bound capability documents, an...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=OAuth_Tokens_Are_Not_Passwords&amp;diff=396&amp;oldid=prev"/>
		<updated>2026-04-20T05:35:22Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;= OAuth Tokens Are Not Passwords = == Channels, Capabilities, and Risk in OAuth 2.0 Systems ==  &amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;   OAuth 2.0 access tokens are frequently treated as drop-in replacements for Basic Authentication credentials. While this can appear convenient, it collapses important architectural boundaries and recreates many of the very risks OAuth was designed to avoid. This article explains why OAuth access tokens should be treated as channel-bound capability documents, an...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= OAuth Tokens Are Not Passwords =&lt;br /&gt;
== Channels, Capabilities, and Risk in OAuth 2.0 Systems ==&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;  &lt;br /&gt;
OAuth 2.0 access tokens are frequently treated as drop-in replacements for Basic Authentication credentials. While this can appear convenient, it collapses important architectural boundaries and recreates many of the very risks OAuth was designed to avoid. This article explains why OAuth access tokens should be treated as channel-bound capability documents, and how to design systems that enforce those boundaries cleanly and safely.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0 is deliberately flexible. It defines how tokens are issued and validated, but places few constraints on how those tokens are accepted by downstream systems.&lt;br /&gt;
&lt;br /&gt;
In real deployments, this flexibility often leads to a familiar pattern:&lt;br /&gt;
&lt;br /&gt;
* An API previously accepted Basic Authentication&lt;br /&gt;
* OAuth 2.0 is introduced&lt;br /&gt;
* Access tokens are accepted wherever Basic Auth used to work&lt;br /&gt;
&lt;br /&gt;
At first glance, this looks like progress. In practice, it often replaces one shared secret with another, while silently discarding critical information about who is calling, how, and from where.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Access Tokens as Capability Documents ==&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0 access tokens should be understood as:&lt;br /&gt;
&lt;br /&gt;
:&amp;#039;&amp;#039;Cryptographic capability documents&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
A well-issued access token answers several questions:&lt;br /&gt;
&lt;br /&gt;
* Who issued this token?&lt;br /&gt;
* For which client?&lt;br /&gt;
* For which audience?&lt;br /&gt;
* With which scopes?&lt;br /&gt;
* For how long?&lt;br /&gt;
&lt;br /&gt;
It does not answer whether the token represents a human or a machine, or whether it should authenticate user interfaces.&lt;br /&gt;
&lt;br /&gt;
If a stolen access token can do everything a password could do, then the system has recreated password authentication with additional moving parts.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Why “Access Token == Basic Auth” Is a Warning Sign ==&lt;br /&gt;
&lt;br /&gt;
When access tokens are treated as equivalent to passwords:&lt;br /&gt;
&lt;br /&gt;
* Tokens become long-lived&lt;br /&gt;
* Tokens are reused across unrelated services&lt;br /&gt;
* Audience checks are relaxed or ignored&lt;br /&gt;
* Channel semantics are lost&lt;br /&gt;
* Replay risk increases dramatically&lt;br /&gt;
&lt;br /&gt;
This recreates ambient authority — exactly what OAuth was designed to reduce.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Authentication Channels: The Missing Mental Model ==&lt;br /&gt;
&lt;br /&gt;
OAuth flows encode assumptions about who is authenticating and how. Those assumptions disappear when all tokens are treated alike.&lt;br /&gt;
&lt;br /&gt;
A more robust approach is to define authentication channels explicitly.&lt;br /&gt;
&lt;br /&gt;
=== Example Authentication Channels ===&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Interactive User&amp;#039;&amp;#039;&amp;#039; – Browsers, dashboards, admin UIs&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;First-Party API Client&amp;#039;&amp;#039;&amp;#039; – Trusted internal services&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Third-Party API Client&amp;#039;&amp;#039;&amp;#039; – Partner integrations&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Machine / Background Service&amp;#039;&amp;#039;&amp;#039; – Automation, schedulers&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Legacy / Transitional&amp;#039;&amp;#039;&amp;#039; – Compatibility surfaces only&lt;br /&gt;
&lt;br /&gt;
Each channel defines allowed flows, token types, scope ceilings, and lifetime expectations.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Channel-Aware Token Acceptance ==&lt;br /&gt;
&lt;br /&gt;
APIs should not merely validate tokens; they should understand where those tokens are meant to be valid.&lt;br /&gt;
&lt;br /&gt;
Examples:&lt;br /&gt;
&lt;br /&gt;
* Machine-only endpoints should reject user tokens&lt;br /&gt;
* UI-backed APIs should reject client-credentials tokens&lt;br /&gt;
* Admin endpoints should require stronger authentication context&lt;br /&gt;
&lt;br /&gt;
This logic belongs in middleware and policy, not scattered application code.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Safeguards That Pay Off Early ==&lt;br /&gt;
&lt;br /&gt;
Even simple guardrails dramatically improve safety.&lt;br /&gt;
&lt;br /&gt;
=== Audience Enforcement ===&lt;br /&gt;
&lt;br /&gt;
Tokens must only authenticate against their intended audience. Mismatches should be fatal.&lt;br /&gt;
&lt;br /&gt;
=== Scope-to-Route Binding ===&lt;br /&gt;
&lt;br /&gt;
Scopes should map to concrete actions and routes, not vague roles.&lt;br /&gt;
&lt;br /&gt;
=== Channel-Aware Middleware ===&lt;br /&gt;
&lt;br /&gt;
Authentication middleware should know which channel an endpoint belongs to and which tokens are acceptable.&lt;br /&gt;
&lt;br /&gt;
=== Containing Legacy Compatibility ===&lt;br /&gt;
&lt;br /&gt;
If tokens must authenticate legacy surfaces:&lt;br /&gt;
&lt;br /&gt;
* Require explicit enablement&lt;br /&gt;
* Reduce scope ceilings&lt;br /&gt;
* Shorten token lifetimes&lt;br /&gt;
* Disable refresh tokens&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Enabling Stronger Authentication ==&lt;br /&gt;
&lt;br /&gt;
Once channels are explicit, stronger authentication becomes easier.&lt;br /&gt;
&lt;br /&gt;
Mechanisms such as WebAuthn can be required for high-assurance channels and enforced via OIDC claims without changing applications.&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
OAuth 2.0 does not fail because it is weak. It fails when its flexibility is mistaken for permission to ignore semantics.&lt;br /&gt;
&lt;br /&gt;
Treat access tokens as scoped, audience-bound capabilities. Define authentication channels explicitly. Enforce where tokens are allowed to function — not just whether they are valid.&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>