oauth2-authentication_skill

This skill helps you securely implement OAuth2 and OpenID Connect across web, mobile, and API applications with best practices.
  • Shell

40

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill manutej/luxor-claude-marketplace --skill oauth2-authentication

  • README.md22.9 KB
  • SKILL.md67.9 KB

Overview

This skill provides a comprehensive guide and implementation patterns for OAuth2 and OpenID Connect authentication across web, mobile, and API environments. It focuses on secure authorization flows, token lifecycle management, PKCE, scope design, and practical security controls. The content is actionable and aimed at developers building modern authentication systems.

How this skill works

The skill explains each OAuth2 grant type (Authorization Code, Authorization Code with PKCE, Client Credentials, Device Flow, etc.), token formats (access, refresh, ID tokens), and validation steps for JWTs. It covers secure storage and rotation of tokens, redirect URI validation, state parameter usage for CSRF protection, and OpenID Connect identity token handling. Implementation recommendations include storage patterns for web, SPA, and mobile, plus server-side token validation and revocation strategies.

When to use it

  • Implementing user authentication in web apps, SPAs, or native mobile applications
  • Building API authorization and securing microservices with access/refresh tokens
  • Enabling machine-to-machine (M2M) authentication or CI/CD service access
  • Supporting input-constrained devices or CLI tools via the Device Authorization Flow
  • Adding social login, SSO, or an authorization server/identity provider
  • Migrating from session-based to token-based authentication or adding fine-grained scopes

Best practices

  • Prefer Authorization Code Flow with PKCE for public clients and Authorization Code Flow for confidential clients
  • Keep access tokens short-lived and use refresh token rotation and revocation for long-lived access
  • Store refresh tokens in secure storage (HttpOnly cookies on web, Keychain/Keystore on mobile); keep access tokens in memory when possible
  • Validate JWT signature, issuer, audience, and expiration on every request and never expose tokens in URLs or logs
  • Register exact redirect URIs, require HTTPS in production, and enforce strict state parameter validation to prevent CSRF
  • Request minimum scopes (least privilege) and document scope semantics for APIs

Example use cases

  • Server-side web app using Authorization Code Flow with server-held client secret and refresh tokens
  • Single Page Application using Authorization Code Flow with PKCE and a Backend-for-Frontend (BFF) to handle refreshes
  • Microservice-to-microservice calls using Client Credentials Flow with scoped machine tokens
  • Smart TV or CLI using Device Authorization Flow to obtain user consent on a separate device
  • Mobile app storing tokens in platform secure storage and using PKCE to protect the authorization code exchange

FAQ

Use PKCE for any public client that cannot securely store a client secret—SPAs, mobile and desktop apps—to prevent code interception attacks.

How should I store refresh tokens in an SPA?

Avoid storing refresh tokens in localStorage; use HttpOnly, Secure, SameSite cookies or move refresh logic to a backend (BFF) to minimize XSS exposure.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
oauth2-authentication skill by manutej/luxor-claude-marketplace | VeilStrat