Agent OAuth App Registrations and Consent

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

OAuth app registration and consent records tell agents why an integration can authenticate but still lack permission to act.

## Core Explanation

Agents troubleshooting OAuth failures need more than a token error string. They should inspect the app registration, redirect URI, requested scopes, consent screen, tenant consent policy, and whether consent was granted by a user or administrator.

This evidence prevents unsafe fixes such as broadening scopes without approval. A least-privilege recommendation should name the app, provider, scope set, consent state, and user or tenant boundary.

## Source-Mapped Facts

- GitHub OAuth app documentation describes redirecting users to GitHub to request their GitHub identity. ([source](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps))
- Google Workspace documentation describes configuring an OAuth consent screen for Google Workspace apps. ([source](https://developers.google.com/workspace/guides/configure-oauth-consent))
- Microsoft Entra documentation describes user and admin consent as part of application access to protected resources. ([source](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview))

## Further Reading

- [GitHub Authorizing OAuth Apps](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps)
- [Google Configure OAuth Consent](https://developers.google.com/workspace/guides/configure-oauth-consent)
- [Microsoft Entra User and Admin Consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview)