From ooiyeefei-ccc
Blueprints shared identity with per-app access control across a family of apps. Use for cross-subdomain SSO, central entitlement database, or onboarding new apps into a shared-auth family.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ooiyeefei-ccc:cross-app-shared-authThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
A repeatable blueprint for connecting a family of apps to **one shared identity** plus **one central accounts database**, so:
A repeatable blueprint for connecting a family of apps to one shared identity plus one central accounts database, so:
Use it two ways: to stand up the platform the first time, and to onboard each new app after that. When onboarding, follow the sequence in references/onboarding-checklist.md step by step.
Identity is shared. Entitlement is per app. These are two independent layers, and conflating them is the mistake that causes almost every problem in this space.
So "one login" and "you only get into the apps you have actually turned on" are not in tension. They are the intended combination.
Two slots, chosen independently:
| Slot | Job | Examples |
|---|---|---|
| Identity provider | issue one shared user id, handle sign in / sign up | Clerk, Supabase Auth, Auth0, Firebase Auth |
| Central accounts store | hold per-app access records, keyed on the shared user id | Convex, Postgres, MySQL, any DB |
The database vendor is free per app. The only hard rule: apps that share one identity must share one identity provider instance, so the user id is common and joins everything.
Read references/architecture.md for the full picture with a diagram.
a.example.com and b.example.com share it),references/examples.md: an app_access table (the whitelist), a users table (the identity link), and server-side functions getAccess, activateApp, listMyApps, ensureUser, all keyed on the shared user id and all deny-by-default.If any of these is missing, build it first. Everything else assumes they exist.
This is the heart of the skill. When adding an app to the family, do these in order. The full checklist with commands and gotchas is in references/onboarding-checklist.md.
authorizedParties to its own origin (see the security note below).getToken({ template: "<name>" })), not the bare session token, so the token carries the audience the store checks and the central DB resolves the same user id. Confirm that template, and one for the app's own backend if it differs, exist in the platform's template registry first (guardrail 3); if the app is the first on a new backend, add its template before wiring. Call the central functions by reference, since the app repo does not have the central DB's generated types.ensureUser and activateApp("<this-app-slug>") as independent best-effort calls (one failing must not veto the other, guardrail 8), and make the "first authenticated use" guard durable, not an in-memory flag (guardrail 9). Check getAccess("<this-app-slug>") where you gate. Keep the app's own tier, quota, credits, and billing in the app's own database, never in the central store.references/onboarding-checklist.md).activateApp fires on sign in and writes a record, and that a signed-out user is gated.A user can join the family from either direction, and both must end up recorded in the central accounts DB under the same shared identity. Support both:
Path A, from the central landing page or portal. The user signs up on the hub, then consciously enables apps (an explicit toggle that calls activateApp). This is discovery: the user opts into apps they have not tried yet.
Path B, from inside an app. The user discovers an app directly (for example lands on app.example.com), signs up there, and the app auto-activates on first authenticated use: it calls ensureUser then activateApp("<slug>"). This populates the central DB with this user and this app enabled, without the user visiting the hub first.
Because identity is shared, both paths create or reuse the same account and the same user id. There is no "app account" separate from a "hub account." The central app_access records simply accrue: one row per app the user has joined, from whichever direction.
Read references/entitlement-model.md for how activation, deny-by-default, tiers, and existing-user migration fit together.
These are the failure modes that are easy to miss. Explain them, do not just assert them.
Deny-by-default versus existing users. Be precise about which layer "deny-by-default" governs. Unauthenticated requests are always denied at the backend, no exceptions. Authenticated-but-no-row is a policy choice, not a fixed rule: if an app switches this to hard deny while the central DB is empty, every existing user is locked out, because none of them have a record yet. For a live app, use auto-activate on first authenticated use (grandfather + record). Reserve an explicit "enable this app?" gate for the hub, where users opt into apps they have never used. State the chosen policy in the app's record block so a reviewer is not left guessing which layer applies. See references/entitlement-model.md.
Shared-cookie security (authorizedParties). When apps share a session cookie across subdomains, each app's backend must verify that a token was minted for its own origin. Otherwise a compromised sibling subdomain can replay the shared session against another app's API. Pin the allowed origin per app. This is non-negotiable for a subdomain family.
The token audience, and why the shared session token must stay clean. This is the single most common silent failure, so learn the mechanism rather than memorizing a fix. The central store verifies an incoming token by checking that the token's audience claim (aud) matches the audience the store is configured to accept (in some stores this config field is literally applicationID). The generic session token an identity provider issues has no aud, so it matches no provider and the store rejects it. Typical symptoms: the store returns "no auth provider found matching the given token," calls read as unauthenticated, quota or data is "unavailable," or a portal hangs on "loading" forever.
The fix is a per-service token template, not a global patch. Define a named token template on the shared provider that stamps the audience the central store expects, and have the app request that template when it talks to the store (for example getToken({ template: "<name>" })) instead of sending the bare session token. Then only tokens bound for the central store carry that audience.
Do not solve this by adding the store's audience to the shared session token. That token is every app's generic identity token, so stamping one service's audience onto it makes every app claim "I am for that service," and any other app whose backend validates a different audience then breaks: a Supabase backend expects aud="authenticated", an API gateway JWT authorizer expects its own configured audience, an identity-aware proxy expects its own. One clean session token with no service audience, plus one template per backend, is what keeps a multi-database portfolio correct. The per-service template table is in references/architecture.md.
Two things still break after the template exists, both from the same cause: template claims are configured per identity-provider instance and do not migrate. A freshly created or production instance can have the template by name yet emit none of its claims, so a token mints fine (HTTP 200) but carries no aud and no profile fields. So (a) verify by decoding a real token on the instance you actually use, not by trusting the dashboard: confirm it carries aud and every claim your central functions read. And (b) do not let a central function hard-require a claim the template might not emit: a function that throws when, say, email is absent will fail on every call even though auth itself is fine. Read profile claims as optional (best-effort), or guarantee the template emits them, or both.
Think of the shared provider as hosting a registry of templates, one per distinct token audience. When a backend checks a fixed audience (a store that always wants aud="<store>"), one template is reused by every project on that backend, so add it once. When the audience is tied to a specific resource (an identity-aware proxy whose audience is that resource's own id), you need one template per resource. When onboarding, check the registry for the app's backend: if a template exists, request it; if not (a new backend, or a new per-resource audience), adding it is a one-time step, do it or prompt for it and record it before wiring the app. An agent that assumes a template already exists will hit the silent rejection above. And note that some backends integrate via a native provider integration rather than a hand-rolled template, and these methods change, so follow the backend's current integration guide, not a remembered recipe. Such an integration sometimes adds a claim to the session token itself (for example a role), a deliberate exception to the keep-it-clean rule that is safe only for a non-audience claim other backends ignore. Never let it place an aud on the session token: a role is inert to a backend that keys on aud, an audience is not. When auditing an app that uses a native integration, confirm which claim it adds and that it is not an audience.
Production keys are domain-locked. Many providers lock production keys to the production domain and its subdomains, so they do not work on localhost. Use the shared provider's development keys for local work, and production keys only on the real domain. Plan verification accordingly (a full click-through may need the deployed domain).
Env var name collisions. Each app has its own database plus the shared accounts database. If both use the same variable name for their URL, one clobbers the other. Give the shared accounts URL a distinct name (for example <PLATFORM>_ACCOUNTS_DB_URL) that never overlaps the app's own.
Subdomain versus separate domain. Silent SSO via a shared cookie only spans subdomains of one parent domain. An app on a different root domain cannot share the cookie or the user id automatically. Either give it its own identity instance (an independent island, no shared account) or bridge it deliberately (many providers charge for cross-domain SSO). Make this a conscious choice, and name the tradeoff.
Entitlement truth stays local. The central store holds the thin "which apps" index and access status. Real tier, quota, credits, and billing live in each app's own database (the system of record). Duplicating a balance centrally creates a second source of truth that drifts. Push only a usage summary up, if you need a cross-app dashboard.
Best-effort central calls: isolate them, and probe after deploy. Wrap each central call on its own so one broken function never vetoes the others (a failing ensureUser must not swallow activateApp). Failing open on a central error is reasonable for a live app, so a central outage does not lock everyone out. But fail-open has a trap: it makes a broken central function look identical to success, so a regression can persist silently with zero rows written and zero user-visible symptoms. If you fail open, you must pair it with a post-deploy probe that reads back a row you just wrote. Step 7's row check is not optional for this reason. Isolation means each call in its own catch: two sequential awaits under a single try/catch is not isolation, because the first throw skips the second. When auditing, a shared try/catch around both calls is a FAIL, not a pass for "has error handling."
"Fire once per session" must be durable, not in-memory. On serverless or multi-instance hosts, a module-level or in-memory flag is per-instance: a different instance answers the next request and the guard silently does not hold, so users get bounced or activation is skipped depending on which instance replies. Use a durable marker (a cookie, a claim in the token, or a short-TTL shared cache), and keep the central activate call idempotent so a missed guard is harmless anyway. A subtler version of the same bug: a dev stub or fallback (an in-memory whitelist used when the central store is unconfigured), gated on an env var, will silently run in production if that var is unset, reintroducing per-instance state and recording nothing centrally, while fail-open (guardrail 8) hides it. A non-durable fallback must hard-refuse under production (throw at init or return an error), never degrade quietly. Two refinements for auditing this: the real test is not "is the guard durable" but "is a missed guard harmless" — a client-side or in-memory guard is fine when the central call is an idempotent upsert (a reload just re-upserts), so do not fail a client-side guard that idempotency already makes safe. And an app that builds no fallback at all (it throws when the store URL is unset) fails closed, which is safe: score that N-A or PASS, not FAIL.
Separate backends: never trust client-supplied identity headers. If an app forwards identity to its own backend service (a header like X-User-Id), the edge that verifies the token must set that header from the verified token and strip any copy the client sent. Otherwise a caller spoofs identity by sending the header themselves. authorizedParties does not cover this, because it checks the token's origin, not headers riding alongside it.
A token forwarded through the app's own backend must be the template token. A common shape the direct-client model misses: the client sends one token to the app's own API, which verifies it and then forwards that same token onward to the central store (and often to the app's own backend store too). One token must satisfy every hop, and the hops check different things: the app's own boundary may verify the origin (azp), while the store verifies the audience (aud). The bare session token carries azp but no aud, so it clears the boundary and is then silently rejected by the store, which reads like the boundary is fine and the store is broken. Forward the template token (getToken({ template: "<store>" })): it carries the store's aud and the same azp, so it satisfies both hops at once. When you audit this topology, decode the token as it arrives at the store (after the hop), not as the client mints it, and confirm the forwarding backend does not swap in or downgrade it.
The same model runs in reverse to audit an app that is already wired, not just to build one. Audit against the current guardrail set and the canonical record block, not whatever local copy the app happens to hold: a stale local record block or a lagging contract-version pointer is itself finding number one, because an auditor who trusts it silently skips every newer check. Score each line PASS / FAIL / N-A with file:line evidence.
Grade the evidence; do not treat every check as binary. Many checks depend on runtime state (a live token, a real request) that a repo or CI audit cannot produce, so name the grade you reached:
Checks:
authorizedParties, env names, local-truth: grep for the values and cite where they resolve. Confirm each required env var is set in the deploy environment, not only in .env.example or a local file: a value that lives only in the example file no-ops or throws once deployed.aud equals the store's configured audience, and it carries every claim the central functions read). If you cannot mint one offline, drop to PASS-observed (a written row proves the audience matched) or NEEDS-RUNTIME (code requests the right template). Never infer a PASS from config alone. If the app forwards the token through its own backend, decode it as it arrives at the store (after the hop) and confirm the backend forwards the template token, not the bare session token (guardrail 11).aud is the resource id), confirm the template exists in the registry, and confirm the app requests it. A new backend with no template, or a per-resource backend missing a resource's template, is a finding.getAccess) for a known user. (2) does the app ship a standing post-deploy probe that re-checks automatically? A one-time manual read passes (1) but not (2), and a fail-open integration (guardrail 8) needs (2).Tag every finding with three fields so it triages correctly: owner (app or platform), severity, and blocks-ship? A platform-owned, already-mitigated issue is not an app blocker, and without the tag it reads like one. Report each with its minimal fix. This mode is also how you re-verify the whole family after any platform-contract change.
references/architecture.md: the full architecture with a diagram, the identity-versus-entitlement split, and where each piece of data lives.references/onboarding-checklist.md: the copy-paste per-app checklist (prerequisites, wiring, env vars, deploy, verify), including a short block each app repo can keep as its own record.references/entitlement-model.md: activation flow, deny-by-default, the two sign-up paths, existing-user migration, and tiers.references/examples.md: sanitized, framework-neutral code snippets (accounts schema, the accounts API, the gate and auto-activate, the per-app env checklist).Adapt every example to the identity provider and databases actually in use. The pattern is the point, not any single vendor.
npx claudepluginhub ooiyeefei/cccProvides expert patterns for Clerk auth implementation including middleware, organizations, webhooks, and user sync. Activates when authentication, sign in/up, user management, multi-tenancy, SSO, or OAuth are mentioned.
Covers authentication and authorization patterns: JWT, OAuth2, sessions, RBAC, ABAC, passkeys, MFA. Use for implementing login flows, token management, and access control.
Analyzes authentication and authorization patterns (OAuth2, JWT, RBAC/ABAC, MFA), audits security posture against OWASP, and recommends improvements for token lifecycle, permission models, and multi-factor authentication.