← All controls

37 Continuous OAuth re-authorization sweeps

A scheduled sweep that snapshots every live OAuth grant in the tenant, diffs it against the approved-app register, sets the access decision in the console for anything unapproved so the grant cannot simply be re-issued, and then revokes it per user. It catches the app a user consented to last week and the malicious client an attacker authorised after a phish — neither of which shows up in any settings screen. The diff is routed to the security mailbox, so the sweep is continuous rather than a one-off.

Caveats

Setup steps

  1. gam all users print tokens > tokens-$(date +%F).csv

    Method: tokens.list ↗

  2. open ↗
    Admin console screen — Security > Access and data control > API controls (overview)

    https://admin.google.com/ac/owl · captured 2026-07-15

    comm -13 <(sort apps-register.csv) <(cut -d, -f<clientid-column> tokens-$(date +%F).csv | sort -u)

  3. open ↗ Security › Access and data control › API controls › Manage Third-Party App Access
    App access
    Blocked (or Limited to unrestricted Google services)

    Control which apps access Google Workspace data ↗

  4. open ↗
    gam user <user> delete token clientid <clientid>

    Method: tokens.delete ↗ Manage a user's security settings ↗

  5. cron: daily or weekly; output diffed against apps-register.csv (optionally: git commit + scheduled Claude review of the diff)

Ongoing maintenance

How to verify

  1. Check the newest sweep artifact is within the cadence and the diff was reviewed — then re-run the snapshot and confirm it matches.

    gam all users print tokens > tokens-verify.csv && diff <(sort tokens-verify.csv) <(sort tokens-<last-date>.csv)

Further screens

Screen 1 of 1: Directory > Users > [user] > Security > Connected applications (per-user token review)

open ↗
Admin console screen — Directory > Users > [user] > Security > Connected applications (per-user token review)
https://admin.google.com/ac/users captured 2026-07-15

v0.1.2Detect policy #29 · #19, #33 ↗