Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From oauth-implementation
Implements OAuth 2.0/OpenID Connect flows (Authorization Code + PKCE, Client Credentials, Refresh) for web/SPA/service auth. Express.js examples; Flask/Spring refs.
npx claudepluginhub secondsky/claude-skills --plugin oauth-implementationHow this skill is triggered — by the user, by Claude, or both
Slash command
/oauth-implementation:oauth-implementationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Implement OAuth 2.0 and OpenID Connect for secure authentication.
Provides OAuth 2.0 and OpenID Connect implementation patterns including authorization code flow, PKCE, token management, security best practices, and checklists for auth with Google, GitHub providers.
Implements OAuth 2.0 authorization code + PKCE flow with security best practices: exact redirect URI matching, short-lived tokens, state parameter CSRF protection, and deprecation of implicit grant.
Configures OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. Covers flow selection, PKCE implementation, token lifecycle, and OAuth 2.1 security best practices.
Share bugs, ideas, or general feedback.
Implement OAuth 2.0 and OpenID Connect for secure authentication.
| Flow | Use Case |
|---|---|
| Authorization Code | Web apps (most secure) |
| Authorization Code + PKCE | SPAs, mobile apps |
| Client Credentials | Service-to-service |
| Refresh Token | Session renewal |
const express = require('express');
const jwt = require('jsonwebtoken');
// Step 1: Redirect to authorization
app.get('/auth/login', (req, res) => {
const state = crypto.randomBytes(16).toString('hex');
req.session.oauthState = state;
const params = new URLSearchParams({
client_id: process.env.CLIENT_ID,
redirect_uri: process.env.REDIRECT_URI,
response_type: 'code',
scope: 'openid profile email',
state
});
res.redirect(`${PROVIDER_URL}/authorize?${params}`);
});
// Step 2: Handle callback
app.get('/auth/callback', async (req, res) => {
if (req.query.state !== req.session.oauthState) {
return res.status(400).json({ error: 'Invalid state' });
}
const tokenResponse = await fetch(`${PROVIDER_URL}/token`, {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
code: req.query.code,
redirect_uri: process.env.REDIRECT_URI,
client_id: process.env.CLIENT_ID,
client_secret: process.env.CLIENT_SECRET
})
});
const tokens = await tokenResponse.json();
// Store tokens securely and create session
});
function generatePKCE() {
const verifier = crypto.randomBytes(32).toString('base64url');
const challenge = crypto
.createHash('sha256')
.update(verifier)
.digest('base64url');
return { verifier, challenge };
}
See references/python-java.md for: