SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding

AI LOAD INSTRUCTION: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes.

1. WHEN TO LOAD THIS SKILL

Load when:

• The app supports Login with Google, GitHub, Microsoft, Okta, or other IdPs
• You see authorize, callback, redirect_uri, code, state, nonce, or code_challenge
• Mobile or SPA clients rely on OAuth or OIDC flows

For token cryptography and JWT header abuse, also load:

• jwt oauth token attacks

2. HIGH-VALUE MISCONFIGURATION CHECKS