How does the skill handle security for public clients?

It mandates the use of PKCE (Proof Key for Code Exchange) and requires refresh token rotation or sender-constraining to protect against token theft.

Which grant types are supported in this OAuth 2.1 guide?

This guide supports authorization_code, refresh_token, and client_credentials. Note that legacy grants like Implicit and Resource Owner Password Credentials are excluded as they are removed in OAuth 2.1.

Does this skill help with browser-based application security?

Yes, it provides specific instructions for implementing Cross-Origin Resource Sharing (CORS) headers to allow secure token requests from browser-based clients.

What are the mandatory HTTP requirements for the token endpoint?

The endpoint must use the POST method, utilize HTTPS (except for localhost development), and accept 'application/x-www-form-urlencoded' content.

OAuth 2.1 Token Endpoint Guide

Name: OAuth 2.1 Token Endpoint Guide
Author: maronnjapan

bymaronnjapan

0•

API Development

Guides the implementation of secure and spec-compliant OAuth 2.1 token endpoints for modern authorization servers.

This skill provides comprehensive guidance for building and validating OAuth 2.1 token endpoints, ensuring compliance with Section 3.2 and Section 4 of the latest specification. It enables Claude to assist developers in managing essential grant types like authorization code and client credentials, handling PKCE verifiers, implementing refresh token rotation, and configuring mandatory security headers. By following these patterns, developers can ensure their identity providers are secure against common vulnerabilities while adhering to the refined standards of OAuth 2.1, including strict CORS support and the removal of legacy grant types.

Key Features

01Implementation patterns for authorization_code, refresh_token, and client_credentials grants

02Strict header requirements including Cache-Control: no-store and CORS configuration

03Security logic for PKCE verification and single-use authorization code enforcement

04Standardized JSON error response formats and HTTP status code mapping

05Guidance on refresh token rotation and sender-constrained tokens for public clients

060 GitHub stars

Use Cases

01Auditing and debugging token endpoint logic for spec compliance and security vulnerabilities

02Upgrading existing OAuth 2.0 implementations to meet the security requirements of OAuth 2.1

03Developing a custom OAuth 2.1 compliant identity provider or authorization server

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add maronnjapan/maronn-openid-provider oauth21-token-endpoint

For use in Claude.ai and ChatGPT

Download Skill