Implements OAuth 2.0, JWT, and session auth correctly with security best practices.
---
name: OAuth & Auth Flow
description: Implement OAuth 2.0, JWT, and sessions securely.
---
# OAuth & Auth Flow
Implement authentication that resists the common, well-documented attacks.
## Choosing a flow
- Web app with backend: Authorization Code + PKCE. Keep tokens server-side.
- SPA or mobile: Authorization Code + PKCE (never Implicit — it's deprecated).
- Service-to-service: Client Credentials.
- Never put a client secret in a browser or mobile binary.
## Authorization Code + PKCE
1. Generate `code_verifier` (random 43-128 chars) and `code_challenge = base64url(sha256(verifier))`.
2. Redirect to the authorize endpoint with `state` (CSRF) and `code_challenge`.
3. On callback, verify `state` matches, then exchange the code with the `code_verifier`.
4. Store tokens in an httpOnly, Secure, SameSite cookie or server session — not localStorage.
```text
GET /authorize?response_type=code&client_id=...… install to load the full skillSign in to rate and review this skill.
No reviews yet. Be the first to review this skill.