How does the skill handle security for public clients?

It mandates the use of PKCE (Proof Key for Code Exchange) and requires refresh token rotation or sender-constraining to protect against token theft.

Which grant types are supported in this OAuth 2.1 guide?

This guide supports authorization_code, refresh_token, and client_credentials. Note that legacy grants like Implicit and Resource Owner Password Credentials are excluded as they are removed in OAuth 2.1.

Does this skill help with browser-based application security?

Yes, it provides specific instructions for implementing Cross-Origin Resource Sharing (CORS) headers to allow secure token requests from browser-based clients.

What are the mandatory HTTP requirements for the token endpoint?

The endpoint must use the POST method, utilize HTTPS (except for localhost development), and accept 'application/x-www-form-urlencoded' content.

OAuth 2.1 Token Endpoint Guide

Name: OAuth 2.1 Token Endpoint Guide
Author: maronnjapan

bymaronnjapan

Desarrollo de API

Guides the implementation of secure and spec-compliant OAuth 2.1 token endpoints for modern authorization servers.

Acerca de

This skill provides comprehensive guidance for building and validating OAuth 2.1 token endpoints, ensuring compliance with Section 3.2 and Section 4 of the latest specification. It enables Claude to assist developers in managing essential grant types like authorization code and client credentials, handling PKCE verifiers, implementing refresh token rotation, and configuring mandatory security headers. By following these patterns, developers can ensure their identity providers are secure against common vulnerabilities while adhering to the refined standards of OAuth 2.1, including strict CORS support and the removal of legacy grant types.

Características Principales

Implementation patterns for authorization_code, refresh_token, and client_credentials grants
Strict header requirements including Cache-Control: no-store and CORS configuration
Security logic for PKCE verification and single-use authorization code enforcement
Standardized JSON error response formats and HTTP status code mapping
Guidance on refresh token rotation and sender-constrained tokens for public clients
0 GitHub stars

Casos de Uso

Auditing and debugging token endpoint logic for spec compliance and security vulnerabilities
Upgrading existing OAuth 2.0 implementations to meet the security requirements of OAuth 2.1
Developing a custom OAuth 2.1 compliant identity provider or authorization server

Acerca de

Características Principales

Implementation patterns for authorization_code, refresh_token, and client_credentials grants
Strict header requirements including Cache-Control: no-store and CORS configuration
Security logic for PKCE verification and single-use authorization code enforcement
Standardized JSON error response formats and HTTP status code mapping
Guidance on refresh token rotation and sender-constrained tokens for public clients
0 GitHub stars

Casos de Uso

Auditing and debugging token endpoint logic for spec compliance and security vulnerabilities
Upgrading existing OAuth 2.0 implementations to meet the security requirements of OAuth 2.1
Developing a custom OAuth 2.1 compliant identity provider or authorization server