Skill

oauth

Provides OAuth 2.0 and OpenID Connect implementation patterns including authorization code flow, PKCE, token management, security best practices, and checklists for auth with Google, GitHub providers.

Oauth

Python

authentication

security

npx claudepluginhub jpoutrin/product-forge --plugin security-compliance

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.

SKILL.md

Similar Skills

oauth-implementation

Implements OAuth 2.0/OpenID Connect flows (Authorization Code + PKCE, Client Credentials, Refresh) for web/SPA/service auth. Express.js examples; Flask/Spring refs.

1 file

oauth-implementation

OAuth2 Flows

Guides OAuth2 flow selection—Authorization Code + PKCE for user apps, Client Credentials for M2M, Device Code for browserless—by client type and environment to prevent credential exposure.

1 file

harness-claude

configuring-oauth2-authorization-flow

5.9k

Configures secure OAuth 2.0 flows including Authorization Code with PKCE, Client Credentials, and Device Grant. Covers PKCE, token lifecycle, scopes, and OAuth 2.1 best practices.

7 files

cybersecurity-skills

Stats

Parent Repo Stars7

Parent Repo Forks0

Last CommitFeb 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

OAuth Skill

This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.

OAuth 2.0 Flows

Authorization Code Flow (Recommended for web apps)

1. User → App: Click "Login with Google" 2. App → Auth Server: Redirect with client_id, redirect_uri, scope 3. User → Auth Server: Authenticate and consent 4. Auth Server → App: Redirect with authorization code 5. App → Auth Server: Exchange code for tokens 6. Auth Server → App: Access token + refresh token

PKCE Extension (Required for SPAs/mobile)

# Generate code verifier and challenge code_verifier = secrets.token_urlsafe(32) code_challenge = base64url(sha256(code_verifier)) # Include in authorization request params = { "code_challenge": code_challenge, "code_challenge_method": "S256", }

Token Management

@dataclass class TokenSet: access_token: str refresh_token: str expires_at: datetime token_type: str = "Bearer" async def refresh_tokens(refresh_token: str) -> TokenSet: # Exchange refresh token for new access token pass

Security Best Practices

Always use HTTPS

Use PKCE for public clients

Validate redirect URIs strictly

Store tokens securely (HttpOnly cookies or secure storage)

Implement token rotation

Set appropriate scopes (principle of least privilege)

OpenID Connect

Extends OAuth 2.0 with identity:

# ID token contains user identity claims claims = { "sub": "user123", # Subject (unique user ID) "email": "user@example.com", "name": "John Doe", "iat": 1234567890, # Issued at "exp": 1234567890, # Expiration }

Implementation Checklist

Use authorization code flow with PKCE

Validate state parameter against CSRF

Verify ID token signature

Check token expiration

Implement secure token storage

Handle token refresh gracefully

OAuth Skill

This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.

OAuth 2.0 Flows

Authorization Code Flow (Recommended for web apps)

1. User → App: Click "Login with Google"
2. App → Auth Server: Redirect with client_id, redirect_uri, scope
3. User → Auth Server: Authenticate and consent
4. Auth Server → App: Redirect with authorization code
5. App → Auth Server: Exchange code for tokens
6. Auth Server → App: Access token + refresh token

PKCE Extension (Required for SPAs/mobile)

# Generate code verifier and challenge
code_verifier = secrets.token_urlsafe(32)
code_challenge = base64url(sha256(code_verifier))

# Include in authorization request
params = {
    "code_challenge": code_challenge,
    "code_challenge_method": "S256",
}

Token Management

@dataclass
class TokenSet:
    access_token: str
    refresh_token: str
    expires_at: datetime
    token_type: str = "Bearer"

async def refresh_tokens(refresh_token: str) -> TokenSet:
    # Exchange refresh token for new access token
    pass

Security Best Practices

Always use HTTPS
Use PKCE for public clients
Validate redirect URIs strictly
Store tokens securely (HttpOnly cookies or secure storage)
Implement token rotation
Set appropriate scopes (principle of least privilege)

OpenID Connect

Extends OAuth 2.0 with identity:

# ID token contains user identity claims
claims = {
    "sub": "user123",        # Subject (unique user ID)
    "email": "user@example.com",
    "name": "John Doe",
    "iat": 1234567890,       # Issued at
    "exp": 1234567890,       # Expiration
}

Implementation Checklist

Use authorization code flow with PKCE
Validate state parameter against CSRF
Verify ID token signature
Check token expiration
Implement secure token storage
Handle token refresh gracefully