# OAuth Scopes and Consent Governance One-sentence definition: Limit delegated access via fine-grained scopes and controlled consent. ## Key Facts - Design least-privilege scopes; avoid broad “*” or admin-by-default. - Admin consent workflows; client vetting and allowlists. - Rotate client secrets; use PKCE for public clients; restrict redirect URIs. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize over-scoped tokens and risky consent flows. **Mnemonic:** “**Scope small, consent controlled**.” ## Mini Scenario Q: Third-party app wants org-wide read—policy? A: Admin consent with review; grant minimal scopes; monitor usage. ## Revision Checklist - Two scope rules. - PKCE purpose. - Redirect URI control. ## Related [[API Security Fundamentals (REST GraphQL gRPC)]] · [[JWT Usage and Pitfalls]] · [[Service-to-Service Auth (API Keys OAuth mTLS DPoP)]] · [[Shadow IT Discovery and Control Operations]] · [[Domain 8 - Index]]