tessl install github:jezweb/claude-skills --skill oauth-integrationsgithub.com/jezweb/claude-skills
Implement OAuth 2.0 authentication with GitHub and Microsoft Entra (Azure AD) in Cloudflare Workers and other edge environments. Covers provider-specific quirks, required headers, scope requirements, and token handling without MSAL. Use when: implementing GitHub OAuth, Microsoft/Azure AD authentication, handling OAuth callbacks, or troubleshooting 403 errors in OAuth flows.
Review Score
93%
Validation Score
15/16
Implementation Score
88%
Activation Score
100%
Implement GitHub and Microsoft OAuth in Cloudflare Workers and other edge runtimes.
GitHub API has strict requirements that differ from other providers.
| Header | Requirement |
|---|---|
User-Agent | REQUIRED - Returns 403 without it |
Accept | application/vnd.github+json recommended |
const resp = await fetch('https://api.github.com/user', {
headers: {
Authorization: `Bearer ${accessToken}`,
'User-Agent': 'MyApp/1.0', // Required!
'Accept': 'application/vnd.github+json',
},
});GitHub users can set email to private (/user returns email: null).
if (!userData.email) {
const emails = await fetch('https://api.github.com/user/emails', { headers })
.then(r => r.json());
userData.email = emails.find(e => e.primary && e.verified)?.email;
}Requires user:email scope.
Token exchange returns form-encoded by default. Add Accept header for JSON:
const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json', // Get JSON response
},
body: new URLSearchParams({ code, client_id, client_secret, redirect_uri }),
});| Issue | Solution |
|---|---|
| Callback URL | Must be EXACT - no wildcards, no subdirectory matching |
| Token exchange returns form-encoded | Add 'Accept': 'application/json' header |
| Tokens don't expire | No refresh flow needed, but revoked = full re-auth |
MSAL.js depends on:
Cloudflare's V8 isolate runtime has neither. Use manual OAuth instead:
jose library// For user identity (email, name, profile picture)
const scope = 'openid email profile User.Read';
// For refresh tokens (long-lived sessions)
const scope = 'openid email profile User.Read offline_access';Critical: User.Read is required for Microsoft Graph /me endpoint. Without it, token exchange succeeds but user info fetch returns 403.
// Microsoft Graph /me endpoint
const resp = await fetch('https://graph.microsoft.com/v1.0/me', {
headers: { Authorization: `Bearer ${accessToken}` },
});
// Email may be in different fields
const email = data.mail || data.userPrincipalName;| Tenant Value | Who Can Sign In |
|---|---|
common | Any Microsoft account (personal + work) |
organizations | Work/school accounts only |
consumers | Personal Microsoft accounts only |
{tenant-id} | Specific organization only |
/callback and /admin/callback| Token Type | Default Lifetime | Notes |
|---|---|---|
| Access token | 60-90 minutes | Configurable via token lifetime policies |
| Refresh token | 90 days | Revoked on password change |
| ID token | 60 minutes | Same as access token |
Best Practice: Always request offline_access scope and implement refresh token flow for sessions longer than 1 hour.
| If Claude suggests... | Use instead... |
|---|---|
| GitHub fetch without User-Agent | Add 'User-Agent': 'AppName/1.0' (REQUIRED) |
| Using MSAL.js in Workers | Manual OAuth + jose for JWT validation |
| Microsoft scope without User.Read | Add User.Read scope |
| Fetching email from token claims only | Use Graph /me endpoint |
| Error | Cause | Fix |
|---|---|---|
| 403 Forbidden | Missing User-Agent header | Add User-Agent header |
email: null | User has private email | Fetch /user/emails with user:email scope |
| Error | Cause | Fix |
|---|---|---|
| AADSTS50058 | Silent auth failed | Use interactive flow |
| AADSTS700084 | Refresh token expired | Re-authenticate user |
| 403 on Graph /me | Missing User.Read scope | Add User.Read to scopes |