oauth

jpoutrin/oauth

Security

About

SKILL.md

OAuth Skill

This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.

OAuth 2.0 Flows

Authorization Code Flow (Recommended for web apps)

1. User → App: Click "Login with Google"
2. App → Auth Server: Redirect with client_id, redirect_uri, scope
3. User → Auth Server: Authenticate and consent
4. Auth Server → App: Redirect with authorization code
5. App → Auth Server: Exchange code for tokens
6. Auth Server → App: Access token + refresh token

PKCE Extension (Required for SPAs/mobile)

# Generate code verifier and challenge
code_verifier = secrets.token_urlsafe(32)
code_challenge = base64url(sha256(code_verifier))

# Include in authorization request
params = {
    "code_challenge": code_challenge,
    "code_challenge_method": "S256",
}

Token Management

@dataclass
class TokenSet:
    access_token: str
    refresh_token: str
    expires_at: datetime
    token_type: str = "Bearer"

async def refresh_tokens(refresh_token: str) -> TokenSet:
    # Exchange refresh token for new access token
    pass

Security Best Practices

Always use HTTPS
Use PKCE for public clients
Validate redirect URIs strictly
Store tokens securely (HttpOnly cookies or secure storage)
Implement token rotation
Set appropriate scopes (principle of least privilege)

OpenID Connect

Extends OAuth 2.0 with identity:

# ID token contains user identity claims
claims = {
    "sub": "user123",        # Subject (unique user ID)
    "email": "user@example.com",
    "name": "John Doe",
    "iat": 1234567890,       # Issued at
    "exp": 1234567890,       # Expiration
}

Implementation Checklist

Use authorization code flow with PKCE
Validate state parameter against CSRF
Verify ID token signature
Check token expiration
Implement secure token storage
Handle token refresh gracefully

SKILL.md

OAuth Skill

This skill provides guidance for OAuth 2.0 and OpenID Connect implementations.

OAuth 2.0 Flows

Authorization Code Flow (Recommended for web apps)

1. User → App: Click "Login with Google"
2. App → Auth Server: Redirect with client_id, redirect_uri, scope
3. User → Auth Server: Authenticate and consent
4. Auth Server → App: Redirect with authorization code
5. App → Auth Server: Exchange code for tokens
6. Auth Server → App: Access token + refresh token

PKCE Extension (Required for SPAs/mobile)

# Generate code verifier and challenge
code_verifier = secrets.token_urlsafe(32)
code_challenge = base64url(sha256(code_verifier))

# Include in authorization request
params = {
    "code_challenge": code_challenge,
    "code_challenge_method": "S256",
}

Token Management

@dataclass
class TokenSet:
    access_token: str
    refresh_token: str
    expires_at: datetime
    token_type: str = "Bearer"

async def refresh_tokens(refresh_token: str) -> TokenSet:
    # Exchange refresh token for new access token
    pass

Security Best Practices

Always use HTTPS
Use PKCE for public clients
Validate redirect URIs strictly
Store tokens securely (HttpOnly cookies or secure storage)
Implement token rotation
Set appropriate scopes (principle of least privilege)

OpenID Connect

Extends OAuth 2.0 with identity:

# ID token contains user identity claims
claims = {
    "sub": "user123",        # Subject (unique user ID)
    "email": "user@example.com",
    "name": "John Doe",
    "iat": 1234567890,       # Issued at
    "exp": 1234567890,       # Expiration
}

Implementation Checklist

Use authorization code flow with PKCE
Validate state parameter against CSRF
Verify ID token signature
Check token expiration
Implement secure token storage
Handle token refresh gracefully