Spark
Sign In
Skill

Implement Secure OAuth2 Authentication Flows

Implement OAuth2 with expert guidance on grant types, token security, and PKCE for secure API authentication.

Get skill
Works with express.jsreactjwtredispostgres
VibeBaza
Maintainer?
9
Spark score
out of 100
Updated 6 months ago
Version 1.0.0
Models
claude
Add to Favorites

Why it matters

Implement robust and secure OAuth2 authentication flows for your applications. This asset provides expertise in various grant types, token management, and best practices for both authorization server and client implementations.

Outcomes

What it gets done

01

Implement Authorization Code + PKCE flow for SPAs and mobile apps.

02

Configure Client Credentials flow for server-to-server communication.

03

Securely manage access and refresh tokens, including rotation and revocation.

04

Integrate OAuth2 security best practices into Express.js and React applications.

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/vb-oauth2-implementation | bash

Capabilities

What this skill does

Manage secrets

Stores, rotates, and injects API keys and credentials.

Review code

Analyzes code for bugs, style issues, and improvements.

Debug

Traces errors to their root cause and suggests fixes.

Deploy / CI

Runs build pipelines, tests, and deploys to environments.

Overview

OAuth2 Implementation Expert

What it does

Implement an OAuth2 authorization server and client flow, demonstrating secure token exchange and management. This includes expertise in various grant types (Authorization Code + PKCE, Client Credentials, Resource Owner Password, Refresh Token, Device Code), token security best practices (short-lived access tokens, secure refresh token storage and rotation, JWT or opaque tokens, revocation endpoints), and PKCE implementation (RFC 7636). The service covers authorization server implementation using Express.js and client implementation using React, along with secure token storage patterns and resource server protection with JWT validation and scope checking.

const express = require('express');
const crypto = require('crypto');
const jwt = require('jsonwebtoken');
const app = express();

// Authorization endpoint
app.get('/oauth/authorize', (req, res) => {
  const { client_id, redirect_uri, state, code_challenge, code_challenge_method, scope } = req.query;
  
  // Validate client and redirect URI
  if (!validateClient(client_id, redirect_uri)) {
    return res.status(400).json({ error: 'invalid_client' });
  }
  
  // Store PKCE challenge
  const authCode = crypto.randomBytes(32).toString('hex');
  storeAuthCode(authCode, {
    client_id,
    redirect_uri,
    code_challenge,
    code_challenge_method,
    scope,
    expires_at: Date.now() + 600000 // 10 minutes
  });
  
  res.redirect(`${redirect_uri}?code=${authCode}&state=${state}`);
});

// Token endpoint
app.post('/oauth/token', (req, res) => {
  const { grant_type, code, redirect_uri, client_id, code_verifier } = req.body;
  
  if (grant_type === 'authorization_code') {
    const authData = getAuthCode(code);
    
    // Verify PKCE
    if (!verifyPKCE(authData.code_challenge, code_verifier, authData.code_challenge_method)) {
      return res.status(400).json({ error: 'invalid_grant' });
    }
    
    const accessToken = jwt.sign(
      { sub: authData.user_id, scope: authData.scope, client_id },
      process.env.JWT_SECRET,
      { expiresIn: '1h' }
    );
    
    const refreshToken = crypto.randomBytes(64).toString('hex');
    storeRefreshToken(refreshToken, authData.user_id, client_id);
    
    res.json({
      access_token: accessToken,
      token_type: 'Bearer',
      expires_in: 3600,
      refresh_token: refreshToken,
      scope: authData.scope
    });
  }
});

function verifyPKCE(challenge, verifier, method) {
  const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
  return method === 'S256' ? hash === challenge : verifier === challenge;
}

How it connects

2024-05-15T17:00:00Z

Source README

You are an expert in OAuth2 implementation with deep knowledge of RFC 6749, security best practices, and practical deployment across various platforms and frameworks. You understand the nuances of different grant types, token management, PKCE, and modern security considerations.

Core OAuth2 Principles

Grant Types and Use Cases

  • Authorization Code + PKCE: Default for SPAs and mobile apps
  • Client Credentials: Server-to-server communication
  • Resource Owner Password: Legacy systems only (discouraged)
  • Refresh Token: Long-lived access without re-authentication
  • Device Code: IoT and limited input devices

Token Security

  • Access tokens should be short-lived (15-60 minutes)
  • Refresh tokens must be securely stored and rotated
  • Use JWT for stateless tokens or opaque tokens with introspection
  • Implement proper token revocation endpoints

Authorization Server Implementation

Express.js Authorization Server

const express = require('express');
const crypto = require('crypto');
const jwt = require('jsonwebtoken');
const app = express();

// Authorization endpoint
app.get('/oauth/authorize', (req, res) => {
  const { client_id, redirect_uri, state, code_challenge, code_challenge_method, scope } = req.query;
  
  // Validate client and redirect URI
  if (!validateClient(client_id, redirect_uri)) {
    return res.status(400).json({ error: 'invalid_client' });
  }
  
  // Store PKCE challenge
  const authCode = crypto.randomBytes(32).toString('hex');
  storeAuthCode(authCode, {
    client_id,
    redirect_uri,
    code_challenge,
    code_challenge_method,
    scope,
    expires_at: Date.now() + 600000 // 10 minutes
  });
  
  res.redirect(`${redirect_uri}?code=${authCode}&state=${state}`);
});

// Token endpoint
app.post('/oauth/token', (req, res) => {
  const { grant_type, code, redirect_uri, client_id, code_verifier } = req.body;
  
  if (grant_type === 'authorization_code') {
    const authData = getAuthCode(code);
    
    // Verify PKCE
    if (!verifyPKCE(authData.code_challenge, code_verifier, authData.code_challenge_method)) {
      return res.status(400).json({ error: 'invalid_grant' });
    }
    
    const accessToken = jwt.sign(
      { sub: authData.user_id, scope: authData.scope, client_id },
      process.env.JWT_SECRET,
      { expiresIn: '1h' }
    );
    
    const refreshToken = crypto.randomBytes(64).toString('hex');
    storeRefreshToken(refreshToken, authData.user_id, client_id);
    
    res.json({
      access_token: accessToken,
      token_type: 'Bearer',
      expires_in: 3600,
      refresh_token: refreshToken,
      scope: authData.scope
    });
  }
});

function verifyPKCE(challenge, verifier, method) {
  const hash = crypto.createHash('sha256').update(verifier).digest('base64url');
  return method === 'S256' ? hash === challenge : verifier === challenge;
}

Client Implementation (React)

class OAuth2Client {
  constructor(clientId, redirectUri, authUrl, tokenUrl) {
    this.clientId = clientId;
    this.redirectUri = redirectUri;
    this.authUrl = authUrl;
    this.tokenUrl = tokenUrl;
  }
  
  // Generate PKCE parameters
  generatePKCE() {
    const codeVerifier = crypto.randomBytes(64).toString('base64url');
    const codeChallenge = crypto.createHash('sha256')
      .update(codeVerifier)
      .digest('base64url');
    
    sessionStorage.setItem('code_verifier', codeVerifier);
    return { codeVerifier, codeChallenge };
  }
  
  // Initiate authorization flow
  authorize(scope = 'read') {
    const { codeChallenge } = this.generatePKCE();
    const state = crypto.randomBytes(32).toString('hex');
    sessionStorage.setItem('oauth_state', state);
    
    const params = new URLSearchParams({
      client_id: this.clientId,
      redirect_uri: this.redirectUri,
      response_type: 'code',
      scope,
      code_challenge: codeChallenge,
      code_challenge_method: 'S256',
      state
    });
    
    window.location.href = `${this.authUrl}?${params}`;
  }
  
  // Exchange code for tokens
  async exchangeCodeForToken(code, state) {
    const storedState = sessionStorage.getItem('oauth_state');
    if (state !== storedState) {
      throw new Error('Invalid state parameter');
    }
    
    const codeVerifier = sessionStorage.getItem('code_verifier');
    
    const response = await fetch(this.tokenUrl, {
      method: 'POST',
      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
      body: new URLSearchParams({
        grant_type: 'authorization_code',
        code,
        redirect_uri: this.redirectUri,
        client_id: this.clientId,
        code_verifier: codeVerifier
      })
    });
    
    const tokens = await response.json();
    this.storeTokens(tokens);
    return tokens;
  }
  
  storeTokens(tokens) {
    localStorage.setItem('access_token', tokens.access_token);
    localStorage.setItem('refresh_token', tokens.refresh_token);
    localStorage.setItem('token_expires', Date.now() + tokens.expires_in * 1000);
  }
}

Security Best Practices

PKCE Implementation

Always use PKCE (RFC 7636) for public clients:

  • Generate cryptographically random code verifier (43-128 characters)
  • Use SHA256 for code challenge method
  • Validate code verifier on token exchange

Token Storage

// Secure token storage pattern
class SecureTokenStorage {
  static setTokens(tokens) {
    // Use httpOnly cookies for refresh tokens when possible
    document.cookie = `refresh_token=${tokens.refresh_token}; HttpOnly; Secure; SameSite=Strict`;
    
    // Memory storage for access tokens in SPAs
    window.tokenManager = {
      accessToken: tokens.access_token,
      expiresAt: Date.now() + tokens.expires_in * 1000
    };
  }
  
  static getAccessToken() {
    const manager = window.tokenManager;
    if (!manager || Date.now() >= manager.expiresAt) {
      return null;
    }
    return manager.accessToken;
  }
  
  // Automatic token refresh
  static async refreshTokenIfNeeded() {
    const manager = window.tokenManager;
    if (manager && Date.now() >= manager.expiresAt - 300000) { // 5 min buffer
      await this.refreshToken();
    }
  }
}

Resource Server Protection

// JWT validation middleware
const validateToken = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({ error: 'missing_token' });
  }
  
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      return res.status(401).json({ error: 'token_expired' });
    }
    return res.status(401).json({ error: 'invalid_token' });
  }
};

// Scope validation
const requireScope = (requiredScope) => (req, res, next) => {
  const userScopes = req.user.scope?.split(' ') || [];
  if (!userScopes.includes(requiredScope)) {
    return res.status(403).json({ error: 'insufficient_scope' });
  }
  next();
};

app.get('/api/protected', validateToken, requireScope('read'), (req, res) => {
  res.json({ message: 'Protected resource accessed successfully' });
});

Configuration and Deployment

Environment Variables

# Authorization Server
JWT_SECRET=your-256-bit-secret
JWT_ISSUER=https://your-auth-server.com
TOKEN_EXPIRY=3600
REFRESH_TOKEN_EXPIRY=2592000

# Database URLs for token/client storage
REDIS_URL=redis://localhost:6379
DATABASE_URL=postgresql://user:pass@localhost/oauth

# CORS settings
ALLOWED_ORIGINS=https://your-spa.com,https://your-mobile-app.com

Client Registration

Maintain a client registry with:

  • Client ID and secret (confidential clients)
  • Allowed redirect URIs (exact match)
  • Allowed grant types and scopes
  • Token endpoint authentication method
  • PKCE requirement flag

Common Pitfalls and Solutions

  • Never use implicit flow: Use authorization code + PKCE instead
  • Validate redirect URIs strictly: Prevent open redirect attacks
  • Implement proper CORS: Configure origins carefully for browser-based apps
  • Token introspection: Use RFC 7662 for opaque token validation
  • Rate limiting: Protect token endpoints from brute force attacks
  • Audit logging: Log all authorization and token events for security monitoring

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.