The On-Behalf-Of (OBO) flow is an OAuth pattern that lets one application call another service using a signed-in user’s delegated permissions. Instead of asking the user to sign in again, a middle-tier app exchanges the user’s token for a new token scoped to the downstream resource. The result is a chained trust model: the app acts, but only within the user’s consent and the granted scopes.
OBO matters in cyber security because it is common in enterprise apps, APIs, and AI assistants that perform work for users. Defenders use it to support least-privilege access and clean audit trails, but attackers may abuse overbroad scopes, stolen tokens, or misconfigured consent to make malicious activity look legitimate. Security teams watch sign-in logs, consent events, resource targets, and abnormal scope use to spot when delegated access is being stretched beyond its intended boundaries.