# 8 OAuth app access control / allowlisting

> v0.0.3 · role: Prevent · [policy: #19 · #37](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

By default any user can grant a third-party app OAuth scopes over their Workspace data, and the grant survives password resets. This control inverts the default: unconfigured apps are blocked, and every app holding a Workspace scope is explicitly Trusted, Limited, Specific Google data, or Blocked, with access requests worked from the shared 'Apps pending review' queue. It also covers the domain-wide delegation table, where a client ID impersonates users with no user consent at all — the highest-value list in the tenant.

## Caveats

- Setting the default to Restricted revokes tokens for apps you haven't trusted; blocking an individual app is not documented to revoke tokens it already holds — pair with the continuous OAuth sweeps (№37) to kill live grants.
- Domain-wide delegation bypasses app access control entirely — a delegated client ID is not subject to the Trusted/Blocked verdict, so audit it separately, every time.
- 'Trusted' means all scopes, present and future — an app you trust today can request Drive-wide scopes tomorrow without re-consent.
- Most Google-owned apps are Trusted by default — test with a real third-party app before declaring the tenant closed.

## Setup steps

1. Open API controls > Settings and set the default for apps you have not explicitly reviewed. This is the switch that turns OAuth from allow-by-default into allow-by-exception. — `Security › Access and data control › API controls`

   - **Unconfigured third-party apps** = Don't allow users to access any third-party apps

   docs: [Control which apps access Google Workspace data](https://knowledge.workspace.google.com/admin/apps/control-which-apps-access-google-workspace-data)

2. Open 'Manage third-party app access' and work the Accessed apps / Apps pending review lists: every app currently holding a Workspace scope must be explicitly Trusted, Limited, Specific Google data, or Blocked. — `Security › Access and data control › API controls › App access control`

   Per app: Trusted (all scopes) only for apps with an owner and a business case; everything else = Blocked

   docs: [Control which apps access Google Workspace data](https://knowledge.workspace.google.com/admin/apps/control-which-apps-access-google-workspace-data)

3. Decide whether users may request access to blocked apps. Requests land in the shared 'Apps pending review' list, visible to any admin with the Service Settings privilege — assign an owner to work that queue. Not available for Google Workspace for Education editions. — `Security › Access and data control › API controls › App access control`

   Allow users to request access to unconfigured third-party apps = On (with the 'Apps pending review' queue actively monitored) or Off

   docs: [Review & manage third-party app access requests](https://knowledge.workspace.google.com/admin/apps/review-and-manage-third-party-app-access-requests)

4. Audit the domain-wide delegation table. Each client ID here impersonates users without any user consent — this is the highest-value list in the tenant. — `Security › Access and data control › API controls › Manage Domain Wide Delegation`

   Remove every client ID you cannot attribute to a current, owned integration; narrow remaining scopes to the minimum

   docs: [Control API access with domain-wide delegation](https://knowledge.workspace.google.com/admin/apps/control-api-access-with-domain-wide-delegation)

## Ongoing maintenance

- **[requires a human]** Weekly: review newly requested/configured apps and their scopes before approving.
- **[automatable: AI agent]** Weekly: scan the configured-apps list for scope creep on already-approved clients.

## How to verify

1. From a test account, authorise a random unconfigured third-party app against Drive scopes — the consent should be refused with the admin-configured message.

2. Confirm no wide-open default remains: API controls should show unconfigured third-party apps = blocked (or restricted).

## Settings screens

- Security > Access and data control > API controls
  - console: https://admin.google.com/ac/owl
  - screenshot: ../screenshots/admin.google.com/ac/owl.png
- Security > Access and data control > API controls > App access control > Manage third-party app access (Configured apps)
  - console: https://admin.google.com/ac/owl/list?tab=configuredApps
  - screenshot: ../screenshots/admin.google.com/ac/owl/list__tab-configuredApps.png
- Security > Access and data control > API controls > App access control > Settings (unconfigured third-party apps)
  - console: https://admin.google.com/ac/owl/settings
  - screenshot: ../screenshots/admin.google.com/ac/owl/settings.png
- Security > Access and data control > API controls > Manage Domain Wide Delegation
  - console: https://admin.google.com/ac/owl/domainwidedelegation
  - screenshot: ../screenshots/admin.google.com/ac/owl/domainwidedelegation.png
