OAuth grants: The hanging chads of suspended Google Workspace users

When offboarding users, don't let their their lingering OAuth grants don’t come back to haunt you.

What happens to an OAuth grant when the user who approved it is suspended? I’ve often seen companies use the “suspension” of a Google Workspace user as the end state of their employee offboarding process. This certainly has benefits, as it’s conveniently reversible—admins can still access email, can restore the user to access resources, etc—but it throws the user’s OAuth grants into a strange sort of purgatory. Indeed, when you suspend a user in Google Workspace, their OAuth grants are not actually deleted.  This state has a few interesting implications:

Zombie sessions

Many services use an OAuth grant to establish an initial association with an account, but do not routinely check to see if that grant is still valid. One familiar case is when a user signs into Slack with Google. The initial session is established with an OAuth grant, but then that session can stay alive for weeks or months with continued use. In this case, even when you’ve suspended a user, they would still have access to Slack.  

Flash access

When a user is in a suspended state, they can be reactivated with little effort. This may be required for a normal course of events in your business, such as re-establishing access to the user’s account in a third-party service to migrate data or recover an orphaned resource. But when the user’s account is reactivated, so are all of the OAuth grants. 

For grants used to establish an authenticated session, the risk of reactivating those grants is quite low, and those sessions have almost certainly expired. However, for grants with “offline” access, any previously established grants that provided programmatic access to the user’s data just came back to life. If the user had granted DocSend access to their Google Drive files, for instance, you run the risk of enabling proxied access to that user’s data through the previously established grant.

Because of these tricky edge cases, it’s critical to delete all Google Workspace OAuth grants explicitly when offboarding a user. Unfortunately, this process is quite onerous within the Google Workspace interface—each grant takes multiple clicks to remove, and on average each user has 10 grants. Essentially, it’s easy to miss, and even if you don’t, it’s time-consuming. 

How Nudge Security can help

Using a tool like Nudge Security ensures that employee offboarding is always done efficiently and completely—no hanging chads. Our playbook for employee offboarding can help organizations save up to 90 percent of the time and effort involved in SaaS offboarding by automating time-consuming, easy-to-miss tasks like revoking OAuth grants and resetting passwords for accounts outside of single sign-on (SSO). 

Nudge Security continuously discovers and inventories all the SaaS and cloud applications your employees are using, including shadow IT, giving you a single system of record for departing users’ accounts and OAuth grants that need to be deprovisioned, revoked, or transferred. Our employee offboarding playbook walks you through a comprehensive checklist for IT offboarding in alignment with Google and Microsoft best practices, enabling your team to transition employees securely and completely every time.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors