auth-security

Solid

OAuth 2.1 + JWT authentication security best practices. Use when implementing auth, API authorization, token management. Follows RFC 9700 (2025).

AI & Automation 204 stars 21 forks Updated 2 days ago MIT

Install

View on GitHub

Quality Score: 87/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Auth Security ## Core Principles - **OAuth 2.1** — Follow RFC 9700 (January 2025) - **PKCE Required** — All clients must use PKCE - **Short-lived Tokens** — Access tokens expire in 5-15 minutes - **Token Rotation** — Refresh tokens are single-use - **HttpOnly Storage** — Browser tokens in HttpOnly cookies - **Explicit Algorithm** — Never trust JWT header algorithm - **No backwards compatibility** — Delete deprecated auth flows --- ## OAuth 2.1 Key Changes ### Deprecated Flows (DO NOT USE) | Flow | Status | Replacement | |------|--------|-------------| | Implicit Grant | Removed | Authorization Code + PKCE | | Password Grant | Removed | Authorization Code + PKCE | | Auth Code without PKCE | Removed | Must use PKCE | ### Required: Authorization Code + PKCE ```typescript import crypto from 'crypto'; // 1. Generate code verifier (43-128 chars) function generateCodeVerifier(): string { return crypto.randomBytes(32).toString('base64url'); } // 2. Generate code challenge function generateCodeChallenge(verifier: string): string { return crypto .createHash('sha256') .update(verifier) .digest('base64url'); } // 3. Authorization request const verifier = generateCodeVerifier(); const challenge = generateCodeChallenge(verifier); const authUrl = new URL('https://auth.example.com/authorize'); authUrl.searchParams.set('response_type', 'code'); authUrl.searchParams.set('client_id', CLIENT_ID); authUrl.searchParams.set('redirect_uri', REDIRECT_URI); authUrl.search...

Details

Author: majiayu000
Repository: majiayu000/spellbook
Created: 6 months ago
Last Updated: 2 days ago
Language: Python
License: MIT

Integrates with

OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

auth-security

OAuth 2.1 + JWT authentication security best practices. Use when implementing auth, API authorization, token management. Follows RFC 9700 (2025).

72 Updated 2 weeks ago

majiayu000

API & Backend Listed

security-auth

Authentication and authorization patterns for secure access control. Use when: (1) Implementing JWT authentication, (2) OAuth2/OIDC integration, (3) Building RBAC/ABAC systems, (4) Session management, (5) MFA implementation. Auto-detects: auth, jwt, oauth, oidc, rbac, abac, permission, session, token, refresh, login, password, mfa, 2fa

0 Updated today

murtazatouqeer

AI & Automation Listed

auth-patterns

Design authentication and authorization systems — JWT lifecycle, OAuth 2.0 / OIDC flows, token storage, refresh strategy, RBAC and ABAC permission models. Use when asked about "login flow", "JWT", "OAuth", "refresh token", "access control", "permissions", "RBAC", "who can see what", or "auth is broken". Do NOT use for: session-based auth vs token trade-off analysis (that's an architecture decision) or security penetration testing (use `red-team-check`).

3 Updated today

phamlongh230-lgtm