oauth-implementation
OAuth 2.0 and OpenID Connect authentication with secure flows. Use for third-party integrations, SSO systems, token-based API access, or encountering authorization code flow, PKCE, token refresh, scope management errors.
Install with Tessl CLI
npx tessl i github:secondsky/claude-skills --skill oauth-implementation88
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and clear 'when to use' guidance. The main weakness is that it describes the domain rather than listing concrete actions Claude can perform (e.g., 'implement OAuth flows', 'debug token errors', 'configure PKCE'). The technical specificity makes it highly distinctive and unlikely to conflict with other skills.
Suggestions
Add concrete action verbs describing what Claude does: 'Implements OAuth 2.0 flows, debugs token errors, configures PKCE authentication' rather than just naming the domain.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (OAuth 2.0, OpenID Connect) and mentions some specific concepts (authorization code flow, PKCE, token refresh, scope management), but doesn't list concrete actions like 'implement', 'configure', or 'debug'. The description tells what it's about rather than what it does. | 2 / 3 |
Completeness | Clearly answers both what (OAuth 2.0 and OpenID Connect authentication with secure flows) and when (Use for third-party integrations, SSO systems, token-based API access, or encountering specific error types). The 'Use for' clause provides explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'OAuth', 'OpenID Connect', 'SSO', 'third-party integrations', 'token-based API access', 'PKCE', 'token refresh', 'scope management', 'authorization code flow'. These are terms developers naturally use when facing auth challenges. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with specific technical domain (OAuth 2.0, OIDC) and clear triggers (PKCE, authorization code flow, token refresh). Unlikely to conflict with general API or security skills due to the specific authentication protocol focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted OAuth skill that efficiently delivers actionable, executable code without unnecessary explanation. The main weakness is the workflow section lacks explicit validation steps and error recovery guidance for the token exchange process, which is a common failure point in OAuth implementations.
Suggestions
Add explicit error handling after the token fetch (check tokenResponse.ok, handle common errors like 'invalid_grant')
Include a validation checkpoint pattern: 'If token exchange fails: check code expiration, verify redirect_uri matches exactly, confirm client credentials'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, jumping directly into actionable tables and code without explaining what OAuth is or how authentication works conceptually. Every section adds value Claude wouldn't inherently know about implementation specifics. | 3 / 3 |
Actionability | Provides fully executable Express.js code for the authorization code flow, complete PKCE implementation, and specific security requirements. The code is copy-paste ready with clear variable names and proper error handling. | 3 / 3 |
Workflow Clarity | Steps are labeled (Step 1, Step 2) but lack explicit validation checkpoints. The callback handler doesn't show error handling for failed token responses, and there's no feedback loop for common OAuth errors like expired codes or invalid grants. | 2 / 3 |
Progressive Disclosure | Clean structure with a quick reference table, core implementation inline, and advanced implementations (Python, Java, OIDC discovery) appropriately delegated to a single referenced file. Navigation is clear and one level deep. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.