HelpBlogCommunity🍌 PromptsNEWRulesWorkflowsAgent SkillsMCPsAdvertise
ENEnglishESEspaΓ±olZHδΈ­ζ–‡JAζ—₯本θͺžDEDeutschPTPortuguΓͺsRUРусский
Back to Security & Vulnerability Analysis

oauth-integrations

OAuthGitHubMicrosoftCloudflare WorkersEdge ComputingAuthenticationSecurityServerless
⭐ 860πŸ“„ MITπŸ•’ 2026-06-11Source β†—

Install this skill

npx skills add jezweb/claude-skills

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

This skill facilitates manual OAuth implementation for GitHub and Microsoft Entra ID within edge-compute environments like Cloudflare Workers. Standard SDKs such as MSAL.js often fail in these runtimes because they rely on Node.js-specific modules or browser-only APIs. This skill provides the logic to construct authorization URLs, perform token exchanges via fetch, and handle provider-specific nuances such as GitHub's strict User-Agent requirements or private email retrieval. It guides developers through the specific header configurations needed for JSON responses and explains how to map user identity data from Microsoft Graph versus GitHub's REST API. By following these patterns, you can maintain secure, state-managed authentication flows while keeping your edge deployment lightweight and dependency-free, avoiding the common pitfalls associated with server-side SDKs in restricted V8 isolate environments.

When to Use This Skill

  • β€’Adding GitHub-based sign-in to a Cloudflare Worker application
  • β€’Authenticating internal enterprise users via Azure AD at the edge
  • β€’Building custom API gateways that require social login verification
  • β€’Securing serverless functions without loading heavy authentication libraries

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

  • β€œHow do I implement GitHub OAuth in a Cloudflare Worker?
  • β€œWhy does MSAL.js fail in my edge function?
  • β€œHow to handle GitHub private emails in an auth flow?
  • β€œConstructing an OAuth callback handler for Microsoft Entra
  • β€œWhat headers are required for GitHub API authentication?

Pro Tips

  • πŸ’‘Always validate the `state` parameter in OAuth callbacks to prevent Cross-Site Request Forgery (CSRF) attacks.
  • πŸ’‘Store sensitive credentials (client ID, client secret) securely as environment variables, never hardcoded in your source.
  • πŸ’‘Consider using a dedicated OAuth library or framework for edge environments if available, to abstract away common boilerplate and security considerations.

What this skill does

  • β€’Construct manual OAuth authorization URL strings for GitHub and Entra ID
  • β€’Perform backend-to-backend token exchanges using the Fetch API
  • β€’Handle GitHub private email resolution via the /user/emails endpoint
  • β€’Map Microsoft identity attributes from the Graph /me endpoint
  • β€’Implement token refresh logic for persistent Microsoft session management

When not to use it

  • βœ•When your runtime supports full Node.js modules and standard MSAL.js
  • βœ•When you require a UI-based identity management flow instead of a headless API integration

Example workflow

  1. Redirect the user to the provider authorization endpoint with necessary scopes
  2. Capture the code returned to your redirect URL
  3. POST the code and client secrets to the provider's token exchange endpoint
  4. Store the returned access token securely
  5. Fetch user identity profile using the token and appropriate headers

Prerequisites

  • –Configured OAuth application on GitHub or Azure Portal
  • –Valid Client ID and Client Secret
  • –Defined Redirect URI
  • –Basic understanding of JWT and OAuth 2.0 flows

Pitfalls & limitations

  • !Failing to include a User-Agent header which causes GitHub to return a 403
  • !Using wildcards in Redirect URIs which results in immediate validation failure
  • !Forgetting the User.Read scope in Microsoft Entra leading to empty user profiles

FAQ

Why is my GitHub API request returning 403?
GitHub requires a custom User-Agent header in all API requests. Ensure your fetch call includes one to avoid rejection.
Can I use MSAL.js with Cloudflare Workers?
No. MSAL.js depends on browser storage and Node.js crypto libraries, which are not available in the V8 isolate runtime.
How do I get a user's email if it is private on GitHub?
You must request the 'user:email' scope and perform an additional fetch request to the /user/emails endpoint to find the primary, verified email.
Why does my Microsoft token exchange work but user info returns 403?
You likely failed to request the 'User.Read' permission scope during the initial authorization phase.

How it compares

Generic prompts often suggest standard SDKs like MSAL that break in edge runtimes; this skill provides specific, runtime-compatible logic for manual OAuth handling.

Source & trust

⭐ 860 starsπŸ“„ MITπŸ•’ Updated 2026-06-11
πŸ“„ Full skill instructions β€” original source: jezweb/claude-skills
# OAuth Integrations for Edge Environments

Implement GitHub and Microsoft OAuth in Cloudflare Workers and other edge runtimes.

## GitHub OAuth

### Required Headers

GitHub API has strict requirements that differ from other providers.

| Header | Requirement |
|--------|-------------|
| User-Agent | **REQUIRED** - Returns 403 without it |
| Accept | application/vnd.github+json recommended |

const resp = await fetch('https://api.github.com/user', {
  headers: {
    Authorization: Bearer ${accessToken},
    'User-Agent': 'MyApp/1.0',  // Required!
    'Accept': 'application/vnd.github+json',
  },
});


### Private Email Handling

GitHub users can set email to private (/user returns email: null).

if (!userData.email) {
  const emails = await fetch('https://api.github.com/user/emails', { headers })
    .then(r => r.json());
  userData.email = emails.find(e => e.primary && e.verified)?.email;
}


Requires user:email scope.

### Token Exchange

Token exchange returns form-encoded by default. Add Accept header for JSON:

const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'application/json',  // Get JSON response
  },
  body: new URLSearchParams({ code, client_id, client_secret, redirect_uri }),
});


### GitHub OAuth Notes

| Issue | Solution |
|-------|----------|
| Callback URL | Must be EXACT - no wildcards, no subdirectory matching |
| Token exchange returns form-encoded | Add 'Accept': 'application/json' header |
| Tokens don't expire | No refresh flow needed, but revoked = full re-auth |

## Microsoft Entra (Azure AD) OAuth

### Why MSAL Doesn't Work in Workers

MSAL.js depends on:
- Browser APIs (localStorage, sessionStorage, DOM)
- Node.js crypto module

Cloudflare's V8 isolate runtime has neither. Use manual OAuth instead:
1. Manual OAuth URL construction
2. Direct token exchange via fetch
3. JWT validation with jose library

### Required Scopes

// For user identity (email, name, profile picture)
const scope = 'openid email profile User.Read';

// For refresh tokens (long-lived sessions)
const scope = 'openid email profile User.Read offline_access';


**Critical**: User.Read is required for Microsoft Graph /me endpoint. Without it, token exchange succeeds but user info fetch returns 403.

### User Info Endpoint

// Microsoft Graph /me endpoint
const resp = await fetch('https://graph.microsoft.com/v1.0/me', {
  headers: { Authorization: Bearer ${accessToken} },
});

// Email may be in different fields
const email = data.mail || data.userPrincipalName;


### Tenant Configuration

| Tenant Value | Who Can Sign In |
|--------------|-----------------|
| common | Any Microsoft account (personal + work) |
| organizations | Work/school accounts only |
| consumers | Personal Microsoft accounts only |
| {tenant-id} | Specific organization only |

### Azure Portal Setup

1. App Registration β†’ New registration
2. Platform: **Web** (not SPA) for server-side OAuth
3. Redirect URIs: Add both /callback and /admin/callback
4. Certificates & secrets β†’ New client secret

### Token Lifetimes

| Token Type | Default Lifetime | Notes |
|------------|------------------|-------|
| Access token | 60-90 minutes | Configurable via token lifetime policies |
| Refresh token | 90 days | Revoked on password change |
| ID token | 60 minutes | Same as access token |

**Best Practice**: Always request offline_access scope and implement refresh token flow for sessions longer than 1 hour.

## Common Corrections

| If Claude suggests... | Use instead... |
|----------------------|----------------|
| GitHub fetch without User-Agent | Add 'User-Agent': 'AppName/1.0' (REQUIRED) |
| Using MSAL.js in Workers | Manual OAuth + jose for JWT validation |
| Microsoft scope without User.Read | Add User.Read scope |
| Fetching email from token claims only | Use Graph /me endpoint |

## Error Reference

### GitHub Errors

| Error | Cause | Fix |
|-------|-------|-----|
| 403 Forbidden | Missing User-Agent header | Add User-Agent header |
| email: null | User has private email | Fetch /user/emails with user:email scope |

### Microsoft Errors

| Error | Cause | Fix |
|-------|-------|-----|
| AADSTS50058 | Silent auth failed | Use interactive flow |
| AADSTS700084 | Refresh token expired | Re-authenticate user |
| 403 on Graph /me | Missing User.Read scope | Add User.Read to scopes |

## Reference

- GitHub API: https://docs.github.com/en/rest
- GitHub OAuth: https://docs.github.com/en/apps/oauth-apps
- Microsoft Graph permissions: https://learn.microsoft.com/en-us/graph/permissions-reference
- AADSTS error codes: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes


---

---
globs: ["**/*github*", "**/oauth/**/*.ts", "**/auth/**/*.ts", "**/callback*.ts"]
---

# GitHub API & OAuth

GitHub API has strict requirements that differ from Google/Microsoft.

## Required Headers

| If Claude suggests... | Use instead... |
|----------------------|----------------|
| Fetch without User-Agent | 'User-Agent': 'AppName/1.0' (REQUIRED - 403 without) |
| No Accept header | 'Accept': 'application/vnd.github+json' |

const resp = await fetch('https://api.github.com/user', {
  headers: {
    Authorization: Bearer ${accessToken},
    'User-Agent': 'MyApp/1.0',
    'Accept': 'application/vnd.github+json',
  },
});


## Private Email Handling

GitHub users can set email to private (/user returns email: null).

if (!userData.email) {
  const emails = await fetch('https://api.github.com/user/emails', { headers }).then(r => r.json());
  userData.email = emails.find(e => e.primary && e.verified)?.email;
}


Requires user:email scope.

## OAuth Specifics

| Issue | Solution |
|-------|----------|
| Callback URL | Must be EXACT - no wildcards, no subdirectory matching |
| Token exchange returns form-encoded | Add 'Accept': 'application/json' header |
| Tokens don't expire | No refresh flow needed, but revoked = full re-auth |

## Token Exchange

const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'application/json',
  },
  body: new URLSearchParams({ code, client_id, client_secret, redirect_uri }),
});



---

---
globs: ["**/oauth*.ts", "**/auth*.ts", "**/microsoft*.ts", "**/azure*.ts", "**/entra*.ts", "**/callback*.ts"]
---

# Microsoft OAuth in Cloudflare Workers

Patterns for implementing Microsoft Entra (Azure AD) OAuth in Cloudflare Workers without MSAL.

## Corrections

| If Claude suggests... | Use instead... |
|----------------------|----------------|
| Using MSAL.js in Workers | Manual OAuth + jose for JWT validation |
| Scope openid email profile for user info | Add User.Read scope |
| Fetching email from token claims only | Use Microsoft Graph /me endpoint |

## Why MSAL Doesn't Work in Workers

MSAL.js depends on:
- Browser APIs (localStorage, sessionStorage, DOM)
- Node.js crypto module

Cloudflare's V8 isolate runtime has neither. The workaround is simpler and more secure:
1. Manual OAuth URL construction
2. Direct token exchange via fetch
3. JWT validation with jose library

## Required Scopes

// For user identity (email, name, profile picture)
const scope = 'openid email profile User.Read';

// For refresh tokens (long-lived sessions)
const scope = 'openid email profile User.Read offline_access';


**Critical**: User.Read is required for Microsoft Graph /me endpoint. Without it, token exchange succeeds but user info fetch returns 403.

## User Info Endpoint

// Microsoft Graph /me endpoint
const resp = await fetch('https://graph.microsoft.com/v1.0/me', {
  headers: { Authorization: Bearer ${accessToken} },
});

// Email may be in different fields
const email = data.mail || data.userPrincipalName;


## Tenant Configuration

| Tenant Value | Who Can Sign In |
|--------------|-----------------|
| common | Any Microsoft account (personal + work) |
| organizations | Work/school accounts only |
| consumers | Personal Microsoft accounts only |
| {tenant-id} | Specific organization only |

## Azure Portal Setup

1. App Registration β†’ New registration
2. Platform: **Web** (not SPA) for server-side OAuth
3. Redirect URIs: Add both /callback and /admin/callback
4. Certificates & secrets β†’ New client secret

## Token Lifetimes

| Token Type | Default Lifetime | Notes |
|------------|------------------|-------|
| Access token | 60-90 minutes | Configurable via token lifetime policies |
| Refresh token | 90 days | Revoked on password change, can be extended |
| ID token | 60 minutes | Same as access token |

**Best Practice**: Always request offline_access scope and implement refresh token flow for sessions longer than 1 hour.

πŸ“š **Source**: https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#token-lifetime

## Reference

- Graph API permissions: https://learn.microsoft.com/en-us/graph/permissions-reference
- AADSTS error codes: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

  1. Click "Download" above
  2. In your project, create the directory: .agent/skills/oauth-integrations/
  3. Save the file as SKILL.md
  4. The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

  • Claude Code: ~/.claude/skills/jezweb/claude-skills/oauth-integrations/SKILL.md
  • Cursor: ~/.cursor/skills/jezweb/claude-skills/oauth-integrations/SKILL.md
  • Antigravity: ~/.gemini/antigravity/skills/jezweb/claude-skills/oauth-integrations/SKILL.md

πŸš€ Install with CLI:
npx skills add jezweb/claude-skills

Read the Master Guide: Mastering Agent Skills β†’

Recommended Rules

View more rules β†’

Python Security Best Practices

PythonSecurityCryptography
You are an expert in Python security and secure coding practices. Key Principles: - Never trust user input - Use principle of least privilege - Keep ...

Web Security Best Practices Expert

SecurityWeb DevelopmentOWASP
You are an expert in web security and secure coding practices. Key Principles: - Follow OWASP Top 10 guidelines - Implement defense in depth - Valida...

Next.js Authentication & Authorization Expert

Next.jsAuthenticationSecurity
You are an expert in Next.js authentication and authorization. Key Principles: - Use Auth.js (NextAuth.js) for authentication - Implement server-side...

Recommended Workflows

View more workflows β†’

NextAuth.js (Auth.js) v5 Setup

AuthNextAuthSecurity
--- description: Complete boilerplate for secure authentication with Google/GitHub --- 1. **Install Dependencies**: - Install the NextAuth.js beta...

Security Hardening Checklist

SecurityHeadersCSP
--- description: Essential security headers, CSP, and rate limiting --- 1. **Security Headers (`next.config.js`)**: - Add these headers to prevent...

Supabase Row Level Security (RLS)

SupabaseDatabaseSecurity
--- description: Define secure database policies to protect user data --- 1. **Enable RLS**: - Always enable RLS on every table you create. ```...

Recommended MCP Servers

View more MCP servers β†’
H

Heurist Mesh Agent

Community

Access specialized web3 AI agents for blockchain analysis, smart contract security, token metrics, and blockchain interactions through the [Heurist Mesh network](https://github.com/heurist-network/heurist-agent-framework/tree/main/mesh).

A

Awesome Remote MCP Servers by JAW9C

Community

A curated list of **remote** MCP servers, including their authentication support by **[JAW9C](https://github.com/jaw9c)**

M

MCP Router

Community

Free Windows and macOS app that simplifies MCP management while providing seamless app authentication and powerful log visualization by **[MCP Router](https://github.com/mcp-router/mcp-router)**

Take It Further

Maximize your productivity with these powerful resources

πŸ“‹

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library
πŸ“–

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide

How to use this Skill in Claude Code & Cursor

For Claude Code (CLI)

To use this skill in Claude Code, copy the rule content into your project's custom instructions or follow our Add-Skill CLI guide. This ensures Claude follows your standards during every code generation.

For Cursor & Windsurf

For Cursor or Windsurf, individual skills are best used in the "Rules for AI" section. This specific unit helps the agent avoid security & vulnerability analysis issues, leading to cleaner, more efficient code.

Why the skill format matters: the standardized Agent Skills format lets your AI agent load detailed instructions only when they are relevant, keeping your prompt clean while improving results.

Source & attribution

This skill is categorized under Security & Vulnerability Analysis and is published by JezWeb, maintained in jezweb/claude-skills.

← Browse All Agent Skills
Sponsored AI assistant. Recommendations may be paid.