A comprehensive skill for implementing secure authentication and authorization using OAuth2 and OpenID Connect. This skill covers all major authorization flows, token management strategies, security best practices, and real-world implementation patterns for web, mobile, and API applications.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionoauth2-authenticationExecute the skills CLI command in your project's root directory to begin installation:
Fetches oauth2-authentication from manutej/luxor-claude-marketplace and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate oauth2-authentication. Access via /oauth2-authentication in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
0
total installs
0
this week
49
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
49
stars
A comprehensive skill for implementing secure authentication and authorization using OAuth2 and OpenID Connect. This skill covers all major authorization flows, token management strategies, security best practices, and real-world implementation patterns for web, mobile, and API applications.
Use this skill when:
OAuth2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access that account.
Key Terminology:
OAuth2 defines several grant types for different use cases:
Most Secure Flow - Recommended for Server-Side Applications
The authorization code flow is the most secure and widely used OAuth2 flow. It involves exchanging an authorization code for an access token on the server side.
Flow Steps:
When to Use:
Security Benefits:
Secure Flow for Public Clients (SPAs and Mobile Apps)
PKCE (Proof Key for Code Exchange, pronounced "pixy") is an extension to the authorization code flow designed for public clients that cannot securely store client secrets.
Flow Steps:
When to Use:
Security Benefits:
Machine-to-Machine Authentication
The client credentials flow is used when the client itself is the resource owner, typically for service-to-service communication.
Flow Steps:
When to Use:
Characteristics:
Legacy Flow - No Longer Recommended
The implicit flow returns tokens directly in the URL fragment without an authorization code exchange. This flow is now considered insecure and should be avoided.
Why Deprecated:
Legacy Flow - Avoid Unless Necessary
The resource owner password credentials flow allows the client to collect username and password directly, then exchange them for tokens.
Flow Steps:
When to Use (Rarely):
Why to Avoid:
For Input-Constrained Devices
The device flow is designed for devices with limited input capabilities (smart TVs, IoT devices, CLI tools).
Flow Steps:
When to Use:
Short-lived credentials for accessing protected resources
Characteristics:
Authorization: Bearer <access_token>JWT Structure (when using JWTs):
Header.Payload.Signature
JWT Payload Claims:
sub: Subject (user ID)iat: Issued at timeexp: Expiration timeiss: Issuer (authorization server)aud: Audience (resource server)scope: Granted permissionsToken Validation:
Long-lived credentials for obtaining new access tokens
Characteristics:
Refresh Token Rotation:
Token Storage Best Practices:
Web Applications:
Mobile Applications:
SPAs:
Tokens containing user identity information
Characteristics:
Standard Claims:
sub: Subject (unique user ID)name: Full nameemail: Email addressemail_verified: Email verification statuspicture: Profile picture URLiat, exp: Issued/expiration timesFine-grained permissions for access control
Scopes define what access the client is requesting and what the access token permits.
Scope Naming Conventions:
read:users - Read user datawrite:users - Create/update usersdelete:users - Delete usersadmin:all - Full administrative accessopenid - Request OpenID Connect ID tokenprofile - Access user profile informationemail - Access user email addressBest Practices:
Dynamic Scopes:
read:organization:{org_id}
write:project:{project_id}
admin:tenant:{tenant_id}
Prevents Cross-Site Request Forgery (CSRF)
The state parameter is a random value that the client includes in the authorization request and validates in the callback.
Implementation:
Example State Value:
state: crypto.randomBytes(32).toString('hex')
// "7f8a3d9e2b1c4f5a6d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0"
Proof Key for Code Exchange - Prevents Code Interception
PKCE protects the authorization code flow against authorization code interception attacks.
Code Verifier:
Code Challenge:
Code Challenge Methods:
S256: SHA256 hash (use this)plain: Plaintext verifier (legacy only)Implementation Example:
// Generate code verifier
const codeVerifier = generateRandomString(64);
// Generate code challenge
const codeChallenge = base64UrlEncode(
sha256(codeVerifier)
);
// Store code verifier for token exchange
sessionStorage.setItem('code_verifier', codeVerifier);
// Include in authorization URL
const authUrl = `${authEndpoint}?` +
`client_id=${clientId}` +
`&redirect_uri=${redirectUri}` +
`&response_type=code` +
`&scope=${scopes}` +
`&state=${state}` +
`&code_challenge=${codeChallenge}` +
`&code_challenge_method=S256`;
Protecting Access and Refresh Tokens
Do:
Don't:
Prevent Open Redirect Vulnerabilities
Strict Validation Rules:
Mobile Deep Links:
com.example.app://callbackhttps://example.com/auth/callbackhttps://example.com/auth/callbackLocalhost Development:
http://localhost:3000/callbackIdentity Layer Built on OAuth2
OpenID Connect adds an identity layer on top of OAuth2, providing authentication in addition to authorization.
Key Differences from OAuth2:
OIDC Flows:
Authorization Code Flow (recommended)
Implicit Flow (deprecated)
Hybrid Flow
OIDC Scopes:
openid (required) - Enables OIDCprofile - Name, picture, locale, etc.email - Email address and verification statusaddress - Physical addressphone - Phone numberUserInfo Endpoint:
GET /userinfo
Authorization: Bearer <access_token>
Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
mattpocock/skills
Useful defaults in oauth2-authentication — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added oauth2-authentication from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend oauth2-authentication for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for oauth2-authentication matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: oauth2-authentication is focused, and the summary matches what you get after install.
oauth2-authentication has been reliable in day-to-day use. Documentation quality is above average for community skills.
oauth2-authentication is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
oauth2-authentication fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
oauth2-authentication reduced setup friction for our internal harness; good balance of opinion and flexibility.
oauth2-authentication has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 49