auth-security

Solid

OAuth 2.1 + JWT authentication security best practices. Use when implementing auth, API authorization, token management. Follows RFC 9700 (2025).

AI & Automation 140 stars 15 forks Updated today MIT

Install

View on GitHub

Quality Score: 87/100

Stars 20%
72
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Auth Security ## Core Principles - **OAuth 2.1** — Follow RFC 9700 (January 2025) - **PKCE Required** — All clients must use PKCE - **Short-lived Tokens** — Access tokens expire in 5-15 minutes - **Token Rotation** — Refresh tokens are single-use - **HttpOnly Storage** — Browser tokens in HttpOnly cookies - **Explicit Algorithm** — Never trust JWT header algorithm - **No backwards compatibility** — Delete deprecated auth flows --- ## OAuth 2.1 Key Changes ### Deprecated Flows (DO NOT USE) | Flow | Status | Replacement | |------|--------|-------------| | Implicit Grant | Removed | Authorization Code + PKCE | | Password Grant | Removed | Authorization Code + PKCE | | Auth Code without PKCE | Removed | Must use PKCE | ### Required: Authorization Code + PKCE ```typescript import crypto from 'crypto'; // 1. Generate code verifier (43-128 chars) function generateCodeVerifier(): string { return crypto.randomBytes(32).toString('base64url'); } // 2. Generate code challenge function generateCodeChallenge(verifier: string): string { return crypto .createHash('sha256') .update(verifier) .digest('base64url'); } // 3. Authorization request const verifier = generateCodeVerifier(); const challenge = generateCodeChallenge(verifier); const authUrl = new URL('https://auth.example.com/authorize'); authUrl.searchParams.set('response_type', 'code'); authUrl.searchParams.set('client_id', CLIENT_ID); authUrl.searchParams.set('redirect_uri', REDIRECT_URI); authUrl.search...

Details

Author
majiayu000
Repository
majiayu000/claude-arsenal
Created
5 months ago
Last Updated
today
Language
Python
License
MIT

Integrates with

OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Listed

security-auth

Authentication and authorization patterns for secure access control. Use when: (1) Implementing JWT authentication, (2) OAuth2/OIDC integration, (3) Building RBAC/ABAC systems, (4) Session management, (5) MFA implementation. Auto-detects: auth, jwt, oauth, oidc, rbac, abac, permission, session, token, refresh, login, password, mfa, 2fa

0 Updated today
murtazatouqeer
AI & Automation Listed

auth-patterns

Design authentication and authorization systems — JWT lifecycle, OAuth 2.0 / OIDC flows, token storage, refresh strategy, RBAC and ABAC permission models. Use when asked about "login flow", "JWT", "OAuth", "refresh token", "access control", "permissions", "RBAC", "who can see what", or "auth is broken". Do NOT use for: session-based auth vs token trade-off analysis (that's an architecture decision) or security penetration testing (use `red-team-check`).

3 Updated today
phamlongh230-lgtm
AI & Automation Listed

security-patterns

Implements authentication, authorization, encryption, secrets management, and security hardening patterns. Use when designing auth flows, managing secrets, configuring CORS, implementing rate limiting, or when asked about JWT, OAuth, password hashing, API keys, RBAC, or security best practices.

1,364 Updated 3 months ago
CloudAI-X
API & Backend Solid

api-authentication

Secure API authentication with JWT, OAuth 2.0, API keys. Use for authentication systems, third-party integrations, service-to-service communication, or encountering token management, security headers, auth flow errors.

160 Updated 2 weeks ago
secondsky
AI & Automation Listed

auth-implementation-patterns

Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.

1 Updated today
Mohammadibrahim55