skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
yaklang/hack-skills2k installs

oauth-oidc-misconfiguration

OAuth and OIDC misconfiguration testing playbook. Use when reviewing redirect URI handling, state and nonce validation, PKCE, token audience, callback binding, and identity-provider trust flaws.

How do I install this agent skill?

npx skills add https://github.com/yaklang/hack-skills --skill oauth-oidc-misconfiguration
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill is an instructional playbook for testing OAuth and OIDC misconfigurations. It contains no executable code, network operations, or sensitive data access.

  • Socketpass

    No alerts

  • Snykpass

    Risk: LOW · No issues

  • ZeroLeakspass

    Score: 93/100 · 2 sections analyzed

What does this agent skill do?

SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding

AI LOAD INSTRUCTION: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes.

1. WHEN TO LOAD THIS SKILL

Load when:

  • The app supports Login with Google, GitHub, Microsoft, Okta, or other IdPs
  • You see authorize, callback, redirect_uri, code, state, nonce, or code_challenge
  • Mobile or SPA clients rely on OAuth or OIDC flows

For token cryptography and JWT header abuse, also load:

2. HIGH-VALUE MISCONFIGURATION CHECKS

ThemeWhat to Check
state handlingmissing, static, predictable, or not bound to user session
redirect_uri validationprefix match, open redirect chaining, path confusion, localhost leftovers
PKCEmissing for public clients, code verifier not enforced, downgraded flow
OIDC noncemissing or not validated on ID token return
token audience and issuerweak aud / iss checks, cross-client token reuse
account bindingcallback binds attacker identity to victim session
scope handlingbroader scopes granted than the user or client should receive

3. QUICK TRIAGE

  1. Map the full flow: authorize, callback, token exchange, logout.
  2. Replay callback flows with altered state, nonce, and redirect_uri.
  3. Compare SPA, mobile, and web clients for weaker validation.
  4. Check whether one provider account can be rebound to another local account.

4. RELATED ROUTES

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/yaklang/hack-skills/oauth-oidc-misconfiguration">View oauth-oidc-misconfiguration on skillZs</a>