Oauth Oidc Misconfiguration
Run a focused OAuth/OIDC misconfiguration review on apps with social login—redirect URIs, PKCE, state/nonce, and token binding—before or after shipping auth flows.
Overview
OAuth OIDC Misconfiguration is an agent skill for the Ship phase that provides a misconfiguration checklist for OAuth 2.0 and OpenID Connect redirects, PKCE, scopes, and token binding.
Install
npx skills add https://github.com/yaklang/hack-skills --skill oauth-oidc-misconfigurationWhat is this skill?
- High-value misconfiguration matrix covering state, redirect_uri, PKCE, OIDC nonce, and aud/iss validation
- Explicit triggers for Login with Google/GitHub/Microsoft/Okta and authorize/callback parameters
- Cross-links jwt oauth token attacks for JWT header and token crypto abuse
- Scoped to OAuth 2.0 and OpenID Connect flows including mobile and SPA clients
- Account-binding and cross-client token reuse themes in the checklist
- Checklist groups high-value themes across state, redirect_uri, PKCE, OIDC nonce, token audience/issuer, and account bind
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your app added social login but you are unsure whether redirect URIs, state, PKCE, or token audience checks are tight enough to resist takeover and token replay.
Who is it for?
Indie builders or small teams reviewing OAuth/OIDC in staging or pre-launch apps with real IdP callbacks and public or SPA clients.
Skip if: Greenfield ideas with no auth, pure API-key services with no OAuth, or builders who only need marketing copy without touching identity flows.
When should I use this skill?
Target uses OAuth 2.0 or OpenID Connect and you need misconfiguration checks for redirect URI validation, state/nonce, PKCE, token audience, and callback binding.
What do I get? / Deliverables
You get a structured set of high-value OAuth/OIDC checks to execute and clear pointers to jwt oauth token attacks when the risk is JWT-level rather than flow-level.
- Structured misconfiguration findings aligned to the skill’s theme table
- Follow-up scope note when JWT/token crypto testing is needed
Recommended Skills
Journey fit
Ship security is where builders harden auth before release; this playbook is shelved there because it targets pre-release and release-candidate OAuth surfaces. Security subphase holds structured test checklists for identity and session flaws rather than feature implementation guides.
How it compares
Use as a focused OAuth flow misconfiguration playbook instead of ad-hoc penetration notes that skip PKCE, nonce, and redirect chaining patterns.
Common Questions / FAQ
Who is oauth-oidc-misconfiguration for?
Builders and agent operators assessing apps that implement Login with major IdPs or expose authorize, callback, redirect_uri, code, state, nonce, or code_challenge parameters.
When should I use oauth-oidc-misconfiguration?
During ship security reviews when OAuth or OIDC is in scope, before exposing social login to production, or when auditing mobile/SPA clients that rely on authorization code flows.
Is oauth-oidc-misconfiguration safe to install?
Treat it as offensive-security guidance—use only on systems you are authorized to test; review the Security Audits panel on this Prism page before installing.
Workflow Chain
Then invoke: jwt oauth token attacks
SKILL.md
READMESKILL.md - Oauth Oidc Misconfiguration
# SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding > **AI LOAD INSTRUCTION**: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes. ## 1. WHEN TO LOAD THIS SKILL Load when: - The app supports `Login with Google`, GitHub, Microsoft, Okta, or other IdPs - You see `authorize`, `callback`, `redirect_uri`, `code`, `state`, `nonce`, or `code_challenge` - Mobile or SPA clients rely on OAuth or OIDC flows For token cryptography and JWT header abuse, also load: - [jwt oauth token attacks](../jwt-oauth-token-attacks/SKILL.md) ## 2. HIGH-VALUE MISCONFIGURATION CHECKS | Theme | What to Check | |---|---| | `state` handling | missing, static, predictable, or not bound to user session | | `redirect_uri` validation | prefix match, open redirect chaining, path confusion, localhost leftovers | | PKCE | missing for public clients, code verifier not enforced, downgraded flow | | OIDC `nonce` | missing or not validated on ID token return | | token audience and issuer | weak `aud` / `iss` checks, cross-client token reuse | | account binding | callback binds attacker identity to victim session | | scope handling | broader scopes granted than the user or client should receive | ## 3. QUICK TRIAGE 1. Map the full flow: authorize, callback, token exchange, logout. 2. Replay callback flows with altered `state`, `nonce`, and `redirect_uri`. 3. Compare SPA, mobile, and web clients for weaker validation. 4. Check whether one provider account can be rebound to another local account. ## 4. RELATED ROUTES - CORS or cross-origin token exposure: [cors cross origin misconfiguration](../cors-cross-origin-misconfiguration/SKILL.md) - XML federation or enterprise SSO: [saml sso assertion attacks](../saml-sso-assertion-attacks/SKILL.md) - CSRF-heavy login or binding bugs: [csrf cross site request forgery](../csrf-cross-site-request-forgery/SKILL.md)