SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding

AI LOAD INSTRUCTION: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes.

1. WHEN TO LOAD THIS SKILL

Load when:

• The app supports Login with Google, GitHub, Microsoft, Okta, or other IdPs
• You see authorize, callback, redirect_uri, code, state, nonce, or code_challenge
• Mobile or SPA clients rely on OAuth or OIDC flows

For token cryptography and JWT header abuse, also load:

• jwt oauth token attacks

2. HIGH-VALUE MISCONFIGURATION CHECKS

3. QUICK TRIAGE

1. Map the full flow: authorize, callback, token exchange, logout.
2. Replay callback flows with altered state, nonce, and redirect_uri.
3. Compare SPA, mobile, and web clients for weaker validation.
4. Check whether one provider account can be rebound to another local account.

4. RELATED ROUTES

• CORS or cross-origin token exposure: cors cross origin misconfiguration
• XML federation or enterprise SSO: saml sso assertion attacks
• CSRF-heavy login or binding bugs: csrf cross site request forgery