AI Agent Skill HUB

oauth

OAuth 2.0 authorization framework. Use for authorization.

7 stars
byG1Joshi
View on GitHubInstallation ↓

Best use case

oauth is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

OAuth 2.0 authorization framework. Use for authorization.

Teams using oauth should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/oauth/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/oauth/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/oauth/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How oauth Compares

Feature / AgentoauthStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

OAuth 2.0 authorization framework. Use for authorization.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OAuth 2.1

OAuth 2.1 is the consolidation of OAuth 2.0 and its best practices into a single standard. It allows third-party applications to grant limited access to an HTTP service through an authorization server.

## When to Use

- **Social Login**: "Log in with Google/Facebook".
- **Third-Party Access**: Giving a budgeting app access to your bank APIs.
- **Microservices**: Service A accessing Service B on behalf of a user.

## Quick Start (Authorization Code Flow with PKCE)

```javascript
// Client (Frontend) - redirect to Auth Server
const authUrl = `https://auth.example.com/authorize?
  response_type=code&
  client_id=${CLIENT_ID}&
  redirect_uri=${REDIRECT_URI}&
  scope=read:profile&
  code_challenge=${pkceChallenge}&
  code_challenge_method=S256`;

window.location.href = authUrl;

// Callback (Handling the redirect)
const code = new URLSearchParams(window.location.search).get("code");
const tokenResponse = await fetch("https://auth.example.com/token", {
  method: "POST",
  body: JSON.stringify({
    grant_type: "authorization_code",
    code,
    client_id: CLIENT_ID,
    redirect_uri: REDIRECT_URI,
    code_verifier: pkceVerifier, // Proof Key
  }),
});
```

## Core Concepts

### Roles

- **Resource Owner**: The User.
- **Client**: The App (Web, Mobile, Server).
- **Authorization Server**: The Identity Provider (Auth0, Okta, Google).
- **Resource Server**: The API holding the data.

### PKCE (Proof Key for Code Exchange)

Now **Mandatory** in OAuth 2.1 for all clients (public and confidential). Prevents authorization code interception attacks.

### Grants (Flows)

- **Authorization Code**: The standard flow (Web/Mobile).
- **Client Credentials**: Machine-to-Machine (No user).
- **Device Code**: TV/Input-constrained devices.
- **Implicit Grant**: **REMOVED** (Insecure). Do not use.
- **Password Grant**: **REMOVED** (Insecure). Do not use.

## Best Practices (2025)

**Do**:

- Use **Authorization Code Flow with PKCE** for everything.
- Validate **Exact Redirect URIs** (No wildcards).
- Use **Sender-Constrained Tokens** (DPoP or mTLS) to prevent token replay/theft.

**Don't**:

- Don't use the Implicit Grant (access token in URL fragment).
- Don't store Access Tokens in `localStorage` (XSS risk). Use HttpOnly cookies or memory.

## Troubleshooting

| Error                   | Cause                        | Solution                          |
| :---------------------- | :--------------------------- | :-------------------------------- |
| `invalid_grant`         | Code expired or reused.      | Get a new authorization code.     |
| `redirect_uri_mismatch` | URI doesn't match allowlist. | Check dashboard settings exactly. |

## References

- [OAuth 2.1 Draft](https://oauth.net/2.1/)
- [OAuth 2.0 Simplified](https://aaronparecki.com/oauth-2-simplified/)

Related Skills

template

7
from G1Joshi/Agent-Skills

Expert [skill-name] assistance covering [feature 1], [feature 2], and [feature 3]. Use when [working with X], [debugging Y], or [implementing Z].

zsh

7
from G1Joshi/Agent-Skills

Zsh shell with oh-my-zsh. Use for terminal shell.

zed

7
from G1Joshi/Agent-Skills

Zed high-performance collaborative editor. Use for fast editing.

xcode

7
from G1Joshi/Agent-Skills

Xcode Apple development IDE with simulators. Use for iOS/macOS development.

webstorm

7
from G1Joshi/Agent-Skills

WebStorm JavaScript IDE with debugging. Use for web development.

webpack

7
from G1Joshi/Agent-Skills

Webpack module bundler with loaders and plugins. Use for bundling.

warp

7
from G1Joshi/Agent-Skills

Warp modern terminal with AI. Use for terminal work.

vscode

7
from G1Joshi/Agent-Skills

Visual Studio Code editor with extensions and debugging. Use for code editing.

vite

7
from G1Joshi/Agent-Skills

Vite fast build tool with HMR. Use for modern frontend builds.

visual-studio

7
from G1Joshi/Agent-Skills

Visual Studio IDE for Windows with debugging and profiling. Use for .NET development.

vim

7
from G1Joshi/Agent-Skills

Vim text editor with motions, macros, and plugins. Use for terminal editing.

turbopack

7
from G1Joshi/Agent-Skills

Turbopack Rust-powered bundler. Use for fast builds.