oauth-auditlisted

Use when auditing OAuth 2.0 / OIDC implementations against RFC 9700 (OAuth Security BCP), reviewing client or authorization-server code, evaluating PKCE / state / redirect-URI handling, hardening token exchange and refresh flows, or triaging suspected OAuth vulnerabilities (CWE-352 CSRF, CWE-287 broken auth).
Lu1sDV/skillsmd · ★ 1 · API & Backend · score 62

Install: claude install-skill Lu1sDV/skillsmd

# OAuth 2.0 / OIDC Security Audit Formal review workflow for OAuth 2.0 and OpenID Connect implementations. Maps every finding to a normative source (RFC 9700 §, OWASP, CWE) and produces a severity-rated report — not a generic "best practices" summary. ## Quick Reference | What | Details | |------|---------| | **Primary spec** | [RFC 9700](https://www.rfc-editor.org/rfc/rfc9700.txt) — OAuth 2.0 Security Best Current Practice (Jan 2025) | | **Adjacent specs** | RFC 6749 (core), RFC 6750 (bearer), RFC 7636 (PKCE), RFC 9207 (`iss` mix-up), RFC 8414 (AS metadata), RFC 7009 (revocation) | | **OWASP** | A07:2025 Authentication Failures, A01:2025 Broken Access Control | | **CWE** | CWE-352 (CSRF), CWE-287 (broken auth), CWE-601 (open redirect), CWE-384 (session fixation) | | **Deprecated grants** | Implicit (`response_type=token`), Resource Owner Password Credentials | | **Always required for public clients** | PKCE with `S256` (never `plain`) | | **Mix-up defence** | RFC 9207 `iss` parameter or per-AS distinct redirect URIs | ## When to Use - Reviewing an OAuth/OIDC client integration (login-with-Google/GitHub/Azure, mobile, SPA, CLI) - Auditing an authorization-server or resource-server implementation - Triaging a suspected OAuth-related vulnerability or incident - Hardening token storage, refresh-token rotation, or scope handling - Pre-launch security gate before exposing a new OAuth client publicly **When NOT to use:** - Pure session-cookie auth without OAuth — use a generi