How do I handle OAuth policy drift across Google, Microsoft, and GitHub?
Choose an OAuth integration strategy that survives provider-specific policy changes, app review requirements, redirect URI restrictions, refresh token quirks, and branding/compliance updates.
Blockers
- Lock-in via capability/exact-authorized-redirects
- Lock-in via capability/owned-domains
- Lock-in via capability/production-branding-and-scope-verification
- Lock-in via capability/registered-redirect-uris
- Lock-in via capability/publisher-verification
- Lock-in via capability/single-callback-url
- Lock-in via capability/redirect-uri-host-port-path-matching
- Lock-in via capability/ten-callback-urls
- Lock-in via capability/expiring-user-tokens-with-refresh-tokens
- requires_version: framework/github-oauth-app → protocol/oauth
- requires_version: framework/github-app → protocol/oauth
- requires_version: vendor/google → protocol/oidc
- requires_version: vendor/microsoft → protocol/oidc
Who this is for
- enterprise
- compliance
- microservices
- small-team
- low-ops
Candidates
Central OAuth Broker With Provider-Specific Connectors
As of 2026-03-14, this pattern centralizes redirect handling, token storage, branding assets, and provider change management behind one internal auth service while still keeping separate app registrations per provider. It is designed to isolate policy surfaces that current official docs keep provider-specific, including Google consent-screen verification, Microsoft multitenant publisher setup, and GitHub OAuth App versus GitHub App callback behavior.
When to choose
Best for enterprise + compliance + microservices + high-scale environments where multiple products need Google, Microsoft, and GitHub sign-in but one platform team can own provider operations. It also fits low-ops downstream teams because provider drift is handled once in the broker instead of separately in every app.
Tradeoffs
This gives the cleanest operational boundary for shared logging, token hygiene, redirect URI policy, and incident response. The cost is more platform engineering up front, another critical dependency in the login path, and an ongoing need to maintain provider-specific registrations and review workflows anyway.
Cautions
As of 2026-03-14, a broker does not remove provider review or compliance work. Google still requires production branding and scope verification when applicable, Microsoft multitenant apps still run into publisher verification and redirect URI rules, and GitHub still differentiates OAuth Apps from GitHub Apps. Treat the broker as an isolation layer, not a policy bypass.
Sources
- developers.google.com/identity/protocols/oauth2/policies
- developers.google.com/identity/protocols/oauth2/production-readiness/brand-verification
- learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview
- learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
- docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app
- docs.github.com/en/apps/creating-github-apps/registering-a-github-app/about-the-user-authorization-callback-url
Direct Provider-Native Integrations
As of 2026-03-14, this path keeps separate Google, Microsoft, and GitHub registrations and code paths so each provider can use its native model without an extra abstraction layer. It aligns closely with current docs because Google requires exact authorized redirects and owned domains, Microsoft only redirects to registered URIs and imposes multitenant publisher-domain behavior, and GitHub distinguishes sharply between OAuth Apps and GitHub Apps.
When to choose
Best for small-team + serverless + low-ops products that only need one or two providers, want minimal infrastructure, and can tolerate separate release and compliance checklists per provider. It is also the better fit when provider UX or scope requirements differ enough that a shared broker would leak abstractions.
Tradeoffs
This is the lowest-indirection option and usually the easiest to debug because each flow maps directly to provider docs and SDKs. The downside is duplicated token-handling logic, more app-registration sprawl, and more places where branding, consent, callback, or token-lifecycle changes can break sign-in.
Cautions
As of 2026-03-14, direct integrations need explicit runbooks per provider. Google can require consent-screen resubmission when branding fields change and can invalidate refresh tokens at any time; Microsoft will not redirect to unregistered URIs and can show unverified warnings for qualifying multitenant apps; GitHub OAuth Apps allow only one callback URL and apply redirect_uri host, port, and path matching rules.
Sources
- developers.google.com/identity/protocols/oauth2/web-server
- developers.google.com/identity/protocols/oauth2/policies
- learn.microsoft.com/en-us/entra/identity-platform/reply-url
- learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
- docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app
- docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
Hybrid: GitHub App For GitHub, OAuth Or OIDC Clients For Google And Microsoft
As of 2026-03-14, this hybrid accepts that GitHub's current guidance and capability set differ from generic OAuth App behavior. GitHub Apps support up to 10 callback URLs and expiring user tokens with refresh tokens, while Google and Microsoft continue to use their own OAuth or OIDC app registration, consent, and verification flows.
When to choose
Best for enterprise + small-team combinations where GitHub is operationally important, you need more than one callback environment for GitHub, or you want GitHub's finer-grained app model without forcing the same abstraction onto Google and Microsoft. It is especially strong for monorepo or developer-tooling products that integrate deeply with GitHub but only need standard sign-in from Google and Microsoft.
Tradeoffs
This matches GitHub's native app model better than forcing GitHub OAuth Apps to look like other providers, and it reduces GitHub-specific callback pain. The tradeoff is a split architecture: one provider uses an installation-centric app model and optional webhook surface, while the others remain classic OAuth or OIDC client integrations.
Cautions
As of 2026-03-14, this approach increases product-surface diversity. GitHub App user tokens expire by default unless you opt out, Google still expects owned domains, HTTPS redirects, and verification for applicable production apps, and Microsoft still requires registered redirect URIs and can require publisher work for multitenant trust signals. Budget for separate provisioning, support, and compliance documentation per provider.
Sources
- docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app
- docs.github.com/en/apps/creating-github-apps/registering-a-github-app/about-the-user-authorization-callback-url
- docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens
- developers.google.com/identity/protocols/oauth2/web-server
- learn.microsoft.com/en-us/entra/identity-platform/reply-url
- learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "How do I handle OAuth policy drift across Google, Microsoft, and GitHub?"