nerdexam
(ISC)2

CISSP · Question #136

Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?

The correct answer is A. Resource Servers are required to use passwords to authenticate end users.. OAuth 2.0 addresses many federation and delegation problems, but it does not eliminate the need for Resource Servers to authenticate end users - it delegates authorization, not authentication. Understanding what OAuth 2.0 solves versus what it does not is key here.

Submitted by fernanda_arg· Mar 5, 2026Identity and Access Management

Question

Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?

Options

  • AResource Servers are required to use passwords to authenticate end users.
  • BRevocation of access of some users of the third party instead of all the users from the third party.
  • CCompromise of the third party means compromise of all the users in the service.
  • DGuest users need to authenticate with the third party identity provider.

How the community answered

(38 responses)
  • A
    50% (19)
  • B
    29% (11)
  • C
    8% (3)
  • D
    13% (5)

Why each option

OAuth 2.0 addresses many federation and delegation problems, but it does not eliminate the need for Resource Servers to authenticate end users - it delegates authorization, not authentication. Understanding what OAuth 2.0 solves versus what it does not is key here.

AResource Servers are required to use passwords to authenticate end users.Correct

OAuth 2.0 is an authorization framework, not an authentication protocol; it does not address how Resource Servers authenticate end users directly. Authentication is handled by protocols like OpenID Connect (OIDC) built on top of OAuth 2.0, meaning OAuth alone does not solve the problem of Resource Servers needing passwords or credentials to authenticate end users - that problem remains unless a separate identity layer is added.

BRevocation of access of some users of the third party instead of all the users from the third party.

OAuth 2.0 does address granular access revocation by allowing individual access tokens or refresh tokens to be revoked per user or per scope, rather than revoking all users from a third party at once.

CCompromise of the third party means compromise of all the users in the service.

OAuth 2.0 mitigates the blast radius of a third-party compromise because tokens are scoped and time-limited, reducing but not necessarily eliminating the risk that a third-party breach compromises all service users.

DGuest users need to authenticate with the third party identity provider.

OAuth 2.0 enables guest users to authenticate via a third-party identity provider through its authorization flows (e.g., authorization code flow), allowing federated access without requiring accounts native to the resource server.

Concept tested: OAuth 2.0 limitations versus authorization delegation capabilities

Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Topics

#OAuth 2.0#authorization#third-party identity#API security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice