Name: mcollina/oauth
Rating: 94.47 (1 reviews)
Author: mcollina

mcollina/oauth

Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.

1.40x

Quality

95%

Does it follow best practices?

Impact

93%

1.40x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent implements JWT verification that validates all required RFC 7519 claims, uses asymmetric signing algorithms, returns correct error responses, and applies the hook to routes properly.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "exp claim validated",
      "description": "Checks that the token's exp claim is a number and that it is greater than the current Unix timestamp (now)",
      "max_score": 12
    },
    {
      "name": "iss claim validated",
      "description": "Checks that payload.iss matches EXPECTED_ISSUER from process.env and rejects mismatches",
      "max_score": 10
    },
    {
      "name": "aud claim validated",
      "description": "Checks that payload.aud matches EXPECTED_AUDIENCE from process.env and rejects mismatches",
      "max_score": 10
    },
    {
      "name": "sub claim present",
      "description": "References payload.sub or verifies the sub claim is present in the validated token",
      "max_score": 8
    },
    {
      "name": "401 on validation failure",
      "description": "Returns HTTP 401 status code (reply.code(401)) for all JWT validation failures",
      "max_score": 8
    },
    {
      "name": "Structured error response",
      "description": "Error responses include a JSON body with an 'error' field (e.g. { error: 'token_expired' }, { error: 'invalid_issuer' })",
      "max_score": 8
    },
    {
      "name": "Asymmetric algorithm only",
      "description": "Does NOT configure HS256 as the signing algorithm; uses RS256 or ES256 (or defaults that are asymmetric)",
      "max_score": 12
    },
    {
      "name": "jwtVerify called",
      "description": "Calls request.jwtVerify() (or fastify.jwt.verify()) as the primary verification mechanism",
      "max_score": 10
    },
    {
      "name": "onRequest hook applied",
      "description": "Route group registers the verify hook via fastify.addHook('onRequest', verifyToken) (not a preHandler or custom middleware pattern)",
      "max_score": 10
    },
    {
      "name": "token_expired error code",
      "description": "Returns the specific error value 'token_expired' (as a string) when the exp claim check fails",
      "max_score": 12
    }
  ]
}

evals

scenario-1

criteria.json

task.md

scenario-2

scenario-3

scenario-4

scenario-5

SKILL.md

tile.json

mcollina/oauth

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-1/

criteria.jsonevals/scenario-1/