ClawHub Skills Lib

OAuth — AI Agent Skill | Install, Stats & Docs | ClawHub Skills Lib

🔧 security-identity

OAuthv1.0.0

oauth

ivangdavila

Implement OAuth 2.0 and OpenID Connect flows securely.

latest

Download Package View on ClawHub

Installs (all time)

2

Installs (current)

2

Downloads

270

Stars

1

CreatedFeb 10, 2026

UpdatedFeb 25, 2026

Install & Quick Start

Install via ClawdBot CLI:

clawdbot install ivangdavila/oauth

Skill Package1 files

📋SKILL.mdmarkdown

Flow Selection

Authorization Code + PKCE: use for all clients—web apps, mobile, SPAs
Client Credentials: service-to-service only—no user context
Implicit flow: deprecated—don't use; was for SPAs before PKCE existed
Device Code: for devices without browsers (TVs, CLIs)—user authorizes on separate device

PKCE (Proof Key for Code Exchange)

Required for public clients (SPAs, mobile), recommended for all
Generate code_verifier: 43-128 char random string, stored client-side
Send code_challenge: SHA256 hash of verifier, sent with auth request
Token exchange includes code_verifier—server verifies against stored challenge
Prevents authorization code interception—attacker can't use stolen code without verifier

State Parameter

Always include state in authorization request—prevents CSRF attacks
Generate random, unguessable value; store in session before redirect
Verify returned state matches stored value before processing callback
Can also encode return URL or other context (encrypted or signed)

Redirect URI Security

Register exact redirect URIs—no wildcards, no open redirects
Validate redirect_uri on both authorize and token endpoints
Use HTTPS always—except localhost for development
Path matching is exact—/callback ≠ /callback/

Tokens

Access token: short-lived (minutes to hour), used for API access
Refresh token: longer-lived, used only at token endpoint for new access tokens
ID token (OIDC): JWT with user identity claims—don't use for API authorization
Don't send refresh tokens to resource servers—only to authorization server

Scopes

Request minimum scopes needed—users trust granular requests more
Scope format varies: openid profile email (OIDC), repo:read (GitHub-style)
Server may grant fewer scopes than requested—check token response
openid scope required for OIDC—triggers ID token issuance

OpenID Connect

OIDC = OAuth 2.0 + identity layer—adds ID token and UserInfo endpoint
ID token is JWT with sub, iss, aud, exp + profile claims
Verify ID token signature before trusting claims
nonce parameter prevents replay attacks—include in auth request, verify in ID token

Security Checklist

HTTPS everywhere—tokens in URLs must be protected in transit
Validate iss and aud in tokens—prevents token confusion across services
Bind authorization code to client—code usable only by requesting client
Short authorization code lifetime (10 min max)—single use
Implement token revocation for logout/security events

Common Mistakes

Using access token as identity proof—use ID token for authentication
Storing tokens in localStorage—vulnerable to XSS; prefer httpOnly cookies or memory
Not validating redirect_uri—allows open redirect attacks
Accepting tokens from URL fragment in backend—fragment never reaches server
Long-lived access tokens—use short access + refresh pattern

Token Endpoints

/authorize: user-facing, returns code via redirect
/token: backend-to-backend, exchanges code for tokens; requires client auth for confidential clients
/userinfo (OIDC): returns user profile claims; requires access token
/revoke: invalidates tokens; accepts access or refresh token

Client Types

Confidential: can store secrets (backend apps)—uses client_secret
Public: cannot store secrets (SPAs, mobile)—uses PKCE only
Never embed client_secret in mobile apps or SPAs—it will be extracted

🤖

AI Usage Analysis

Generated Mar 1, 2026

DevelopersSecurity Engineersintermediate

💡 Application Scenarios

Single-Page Application (SPA) User LoginTechnology/SaaS

A modern web application built with React or Angular needs secure user authentication. Use the Authorization Code flow with PKCE, as the SPA is a public client that cannot store secrets. Implement state parameters to prevent CSRF and store tokens in memory rather than localStorage to avoid XSS risks.

Mobile App Social Media IntegrationSocial Media/Entertainment

A mobile app requires users to log in via social platforms like Google or Facebook. Employ Authorization Code flow with PKCE for secure token exchange, as mobile apps are public clients. Ensure redirect URIs are registered exactly and use HTTPS in production to protect tokens during transit.

Service-to-Service API CommunicationFinance/E-commerce

A backend microservice needs to access another service's API without user interaction. Use the Client Credentials flow, as it is designed for machine-to-machine authentication. Securely store client secrets on the server and validate token audiences to prevent confusion across services.

Smart TV or IoT Device AuthorizationConsumer Electronics/IoT

A smart TV app requires user login but lacks a browser for input. Implement the Device Code flow, where the user authorizes on a separate device like a phone. Generate short-lived authorization codes and ensure secure token storage on the device to maintain security in limited environments.

Enterprise Identity Management with OIDCEnterprise/Healthcare

A large organization needs centralized authentication for multiple internal applications. Use OpenID Connect on top of OAuth 2.0 to issue ID tokens for user identity. Verify ID token signatures and include nonce parameters to prevent replay attacks, ensuring secure single sign-on across systems.

💼 Business Models

Subscription-Based SaaSRecurring subscription fees

Offer OAuth integration as a service for businesses needing secure authentication. Charge monthly or annual fees based on user volume or features like multi-factor authentication. This model provides recurring revenue and scales with client growth in sectors like e-commerce or fintech.

Consulting and Implementation ServicesProject-based or hourly fees

Provide expert consulting to help companies implement OAuth flows correctly, focusing on security best practices. Revenue comes from project-based fees or hourly rates, targeting industries with strict compliance needs such as finance or healthcare where secure authentication is critical.

Developer Tools and SDKsLicense sales or usage-based fees

Sell software development kits (SDKs) or libraries that simplify OAuth integration for developers. Monetize through one-time purchases or tiered licensing based on usage. This model appeals to tech startups and enterprises looking to reduce development time and ensure compliance.

💬 Integration Tip

Always validate redirect URIs exactly and use HTTPS to prevent open redirect attacks; for public clients like SPAs, implement PKCE to secure authorization code exchanges against interception.