7a336e6e/implementing-oauth
auth/implementing-oauth/SKILL.md
GitHub and Google OAuth 2.0 integration using Authlib for Flask applications.
$ install --global
skillsauthnpx skillsauth add 7a336e6e/skills implementing-oauthInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
70%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 26, 2026, 12:31 AM183.6s2 files scanned
SKILL.md
- name:
- implementing-oauth
- description:
- GitHub and Google OAuth 2.0 integration using Authlib for Flask applications.
Implementing OAuth
Goal
Integrate OAuth 2.0 Authorization Code flow for GitHub and Google using Authlib. Support first-time login (account creation) and account linking for users who already have a local account with a matching email.
When to Use
- Adding "Sign in with GitHub" or "Sign in with Google" to an application.
- Supplementing local auth with social login options.
- Building a developer-focused tool where GitHub login is expected.
- Any scenario where reducing registration friction is a priority.
Instructions
OAuth 2.0 Authorization Code Flow Overview
- User clicks "Sign in with GitHub" in the frontend.
- Backend redirects user to the provider's authorization URL with a
stateparameter. - User authenticates with the provider and grants consent.
- Provider redirects back to the callback URL with an authorization
codeandstate. - Backend validates the
state, exchanges thecodefor an access token. - Backend fetches the user profile from the provider's API.
- Backend links or creates the user account and issues a JWT.
Authlib Setup for Flask
from authlib.integrations.flask_client import OAuth
from flask import Flask
app = Flask(__name__)
app.config.from_prefixed_env()
oauth = OAuth(app)
oauth.register(
name="github",
client_id=app.config["GITHUB_CLIENT_ID"],
client_secret=app.config["GITHUB_CLIENT_SECRET"],
authorize_url="https://github.com/login/oauth/authorize",
access_token_url="https://github.com/login/oauth/access_token",
api_base_url="https://api.github.com/",
client_kwargs={"scope": "read:user user:email"},
)
oauth.register(
name="google",
client_id=app.config["GOOGLE_CLIENT_ID"],
client_secret=app.config["GOOGLE_CLIENT_SECRET"],
authorize_url="https://accounts.google.com/o/oauth2/v2/auth",
access_token_url="https://oauth2.googleapis.com/token",
api_base_url="https://www.googleapis.com/",
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
client_kwargs={"scope": "openid email profile"},
)
GitHub OAuth Flow
from flask import Blueprint, redirect, url_for, session, jsonify
oauth_bp = Blueprint("oauth", __name__, url_prefix="/api/v1/auth")
@oauth_bp.route("/github/login")
def github_login():
redirect_uri = url_for("oauth.github_callback", _external=True)
return oauth.github.authorize_redirect(redirect_uri)
@oauth_bp.route("/github/callback")
def github_callback():
token = oauth.github.authorize_access_token()
resp = oauth.github.get("user", token=token)
profile = resp.json()
# Fetch email separately if not public
if not profile.get("email"):
emails_resp = oauth.github.get("user/emails", token=token)
emails = emails_resp.json()
primary = next((e for e in emails if e["primary"] and e["verified"]), None)
if primary:
profile["email"] = primary["email"]
user = link_or_create_user(
provider="github",
provider_id=str(profile["id"]),
email=profile.get("email"),
name=profile.get("name") or profile.get("login"),
)
access_token = generate_access_token(user)
return jsonify({"access_token": access_token}), 200
Account Linking
When an OAuth user logs in, attempt to match their verified email to an existing local account. If a match is found, link the OAuth identity to that account rather than creating a duplicate.
def link_or_create_user(provider: str, provider_id: str, email: str, name: str):
# Check for existing OAuth link
oauth_account = OAuthAccount.query.filter_by(
provider=provider, provider_id=provider_id
).first()
if oauth_account:
return oauth_account.user
# Check for existing user by email
user = User.query.filter_by(email=email).first() if email else None
if not user:
user = User(email=email, name=name)
db.session.add(user)
# Link OAuth identity
oauth_account = OAuthAccount(
user=user, provider=provider, provider_id=provider_id
)
db.session.add(oauth_account)
db.session.commit()
return user
Google OAuth Flow
The Google flow follows the same pattern as GitHub. The key difference is that Google returns the email directly in the user info response and supports OpenID Connect.
@oauth_bp.route("/google/login")
def google_login():
redirect_uri = url_for("oauth.google_callback", _external=True)
return oauth.google.authorize_redirect(redirect_uri)
@oauth_bp.route("/google/callback")
def google_callback():
token = oauth.google.authorize_access_token()
resp = oauth.google.get("oauth2/v3/userinfo", token=token)
profile = resp.json()
user = link_or_create_user(
provider="google",
provider_id=profile["sub"],
email=profile.get("email"),
name=profile.get("name"),
)
access_token = generate_access_token(user)
return jsonify({"access_token": access_token}), 200
Constraints
✅ Do
- Validate the
stateparameter on every callback to prevent CSRF attacks. - Store OAuth tokens securely on the server side, never in frontend storage.
- Handle account linking by matching verified email addresses.
- Use HTTPS for all callback URLs in both development and production.
- Fetch the email separately for GitHub if the profile email is null.
- Support multiple OAuth providers linked to a single user account.
❌ Don't
- Skip state parameter validation on the callback endpoint.
- Store access tokens or refresh tokens in the frontend (localStorage or sessionStorage).
- Trust an email address from an OAuth provider without checking its verification status.
- Hard-code client IDs or secrets in source code; use environment variables.
- Assume the provider will always return an email in the profile response.
Output Format
OAuth login redirect (302): Redirect to the provider's authorization page.
Callback success (200):
{ "access_token": "<jwt>" }
Callback failure (401):
{ "error": "OAuth authentication failed" }
Dependencies
- Scaffolding Flask -- Flask application setup and configuration.
- Environment Config -- managing client IDs and secrets via environment variables.
- Provider Configs -- OAuth provider URLs, scopes, and environment variable names.
Related Skills
7a336e6e/Test Driven Development
development
VerifiedTrustedCommunity
Implement features using the Red-Green-Refactor cycle to ensure testability and correctness from the start.
1SKILL.mdUpdated Mar 25, 2026
7a336e6e/task-tracking
data-ai
VerifiedTrustedCommunity
Manage the `tasks.md` ledger with strict locking and collision avoidance protocols to allow multiple agents to work in parallel safely.
1SKILL.mdUpdated Mar 25, 2026
7a336e6e/git-workflow
development
VerifiedTrustedCommunity
The git-workflow skill defines branching conventions, commit message formats, and pull request standards that all agents must follow for consistent version control.
1SKILL.mdUpdated Mar 25, 2026
7a336e6e/environment-config
development
VerifiedTrustedCommunity
The environment-config skill standardizes how agents manage environment variables, secrets, and application configuration across local development and deployed environments.
1SKILL.mdUpdated Mar 25, 2026