oauth
OAuth Skill
This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.
OAuth 2.0 Flows
Authorization Code Flow (Recommended for web apps)
1. User → App: Click "Login with Google"
2. App → Auth Server: Redirect with client_id, redirect_uri, scope
3. User → Auth Server: Authenticate and consent
4. Auth Server → App: Redirect with authorization code
5. App → Auth Server: Exchange code for tokens
6. Auth Server → App: Access token + refresh token
PKCE Extension (Required for SPAs/mobile)
# Generate code verifier and challenge
code_verifier = secrets.token_urlsafe(32)
code_challenge = base64url(sha256(code_verifier))
# Include in authorization request
params = {
"code_challenge": code_challenge,
"code_challenge_method": "S256",
}
Token Management
@dataclass
class TokenSet:
access_token: str
refresh_token: str
expires_at: datetime
token_type: str = "Bearer"
async def refresh_tokens(refresh_token: str) -> TokenSet:
# Exchange refresh token for new access token
pass
Security Best Practices
- Always use HTTPS
- Use PKCE for public clients
- Validate redirect URIs strictly
- Store tokens securely (HttpOnly cookies or secure storage)
- Implement token rotation
- Set appropriate scopes (principle of least privilege)
OpenID Connect
Extends OAuth 2.0 with identity:
# ID token contains user identity claims
claims = {
"sub": "user123", # Subject (unique user ID)
"email": "user@example.com",
"name": "John Doe",
"iat": 1234567890, # Issued at
"exp": 1234567890, # Expiration
}
Implementation Checklist
- Use authorization code flow with PKCE
- Validate state parameter against CSRF
- Verify ID token signature
- Check token expiration
- Implement secure token storage
- Handle token refresh gracefully
More from jpoutrin/product-forge
rfc-specification
RFC (Request for Comments) specification writing with objective technical analysis. Use when creating technical specifications, design documents, or architecture proposals that require structured evaluation of options and trade-offs.
10generate-tasks
Convert PRD to structured task list with automatic linking
6brainstorm-solution
Structured brainstorming for technical solutions
5typescript-import-style
Merge-friendly import formatting (one-per-line, alphabetical). Auto-loads when writing TypeScript/JavaScript imports to minimize merge conflicts in parallel development. Enforces consistent grouping and sorting.
5typescript-code-review
TypeScript and React code review guidelines (type safety, React patterns, performance). Auto-loads when reviewing TypeScript/React code.
5zod
Zod schema validation patterns and type inference. Auto-loads when validating schemas, parsing data, validating forms, checking types at runtime, or using z.object/z.string/z.infer in TypeScript.
5