oauth-oidc-misconfiguration
OAuth and OIDC misconfiguration testing playbook. Use when reviewing redirect URI handling, state and nonce validation, PKCE, token audience, callback binding, and identity-provider trust flaws.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill oauth-oidc-misconfigurationIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is an instructional playbook for testing OAuth and OIDC misconfigurations. It contains no executable code, network operations, or sensitive data access.
- Socketpass
No alerts
- Snykpass
Risk: LOW · No issues
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding
AI LOAD INSTRUCTION: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes.
1. WHEN TO LOAD THIS SKILL
Load when:
- The app supports
Login with Google, GitHub, Microsoft, Okta, or other IdPs - You see
authorize,callback,redirect_uri,code,state,nonce, orcode_challenge - Mobile or SPA clients rely on OAuth or OIDC flows
For token cryptography and JWT header abuse, also load:
2. HIGH-VALUE MISCONFIGURATION CHECKS
| Theme | What to Check |
|---|---|
state handling | missing, static, predictable, or not bound to user session |
redirect_uri validation | prefix match, open redirect chaining, path confusion, localhost leftovers |
| PKCE | missing for public clients, code verifier not enforced, downgraded flow |
OIDC nonce | missing or not validated on ID token return |
| token audience and issuer | weak aud / iss checks, cross-client token reuse |
| account binding | callback binds attacker identity to victim session |
| scope handling | broader scopes granted than the user or client should receive |
3. QUICK TRIAGE
- Map the full flow: authorize, callback, token exchange, logout.
- Replay callback flows with altered
state,nonce, andredirect_uri. - Compare SPA, mobile, and web clients for weaker validation.
- Check whether one provider account can be rebound to another local account.
4. RELATED ROUTES
- CORS or cross-origin token exposure: cors cross origin misconfiguration
- XML federation or enterprise SSO: saml sso assertion attacks
- CSRF-heavy login or binding bugs: csrf cross site request forgery
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/oauth-oidc-misconfiguration">View oauth-oidc-misconfiguration on skillZs</a>