klod68/auth-standards
.claude/skills/auth-standards/SKILL.md
Use when working with authentication, authorization, OAuth, JWT, identity, RBAC, claims, or secrets management in .NET projects. Provides domain-specific rules layered on top of base architectural standards.
$ install --global
skillsauthnpx skillsauth add klod68/littlerae auth-standardsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 9:00 PM1.8s1 file scanned
SKILL.md
name: auth-standards description: "Use when working with authentication, authorization, OAuth, JWT, identity, RBAC, claims, or secrets management in .NET projects. Provides domain-specific rules layered on top of base architectural standards."
Skill: Authentication & Authorization Standards
Identity
| Field | Value |
|---|---|
| Name | Authentication & Authorization Standards |
| Domain | Security, Identity, Access Control |
| Level | Feature |
| Tags | auth, jwt, oauth, identity, rbac, claims |
When to Apply
Activate this skill when the task involves:
- Configuring authentication or authorization middleware
- JWT bearer token setup, validation, or refresh flows
- OAuth 2.0 / OpenID Connect integration
- Policy-based or resource-based authorization
- Claims transformation or identity providers
- Secrets management (Key Vault, user-secrets)
Rules
These rules layer on top of base architectural standards. On conflict, these win.
<!-- SHARED:rules/auth.md -->Authentication & Authorization — Standards
Apply these rules in addition to _base.md for projects using authentication or authorization.
Authentication Configuration
- Configure authentication in
Program.csusingAddAuthenticationwith explicit default scheme. - JWT bearer: always validate
Issuer,Audience,Lifetime, andIssuerSigningKey. - Prefer asymmetric algorithms (RS256, ES256) over symmetric (HS256) for JWT signing.
- Cookie authentication: set
HttpOnly = true,Secure = true,SameSite = Strict(orLaxfor OAuth flows). - Token lifetimes: access tokens ≤ 60 minutes, refresh tokens ≤ 14 days with absolute expiration.
- Store signing keys in Azure Key Vault or equivalent — never in
appsettings.jsonor source code.
OAuth 2.0 / OpenID Connect
- Use Authorization Code flow with PKCE for all public clients (SPAs, mobile, CLI).
- Never use Implicit flow — it is deprecated.
- Validate
id_tokenclaims:iss,aud,exp,nonce. - Store tokens server-side when possible — never in
localStorage(usehttpOnlycookies or BFF pattern). - Configure
AddOpenIdConnectwith explicitAuthority,ClientId,ResponseType = "code", andSaveTokens = true.
Authorization Patterns
- Prefer policy-based authorization over role-based:
[Authorize(Policy = "CanEditOrders")]over[Authorize(Roles = "Admin")]. - Define policies in
Program.csusingAddAuthorizationBuilderwith explicit requirements. - Implement resource-based authorization for owned data: inject
IAuthorizationServiceand callAuthorizeAsyncwith the resource. - Every endpoint declares its authorization requirement explicitly — never rely on global fallback alone.
- Use
[AllowAnonymous]deliberately and sparingly — document why each anonymous endpoint is safe.
Claims-Based Identity
- Access claims via
ClaimsPrincipal— never parse tokens manually in application code. - Define claim type constants to avoid magic strings:
public static class AppClaims { public const string TenantId = "tenant_id"; }. - Transform external claims to application claims in
IClaimsTransformation— keep application code provider-agnostic. - Validate required claims in authorization handlers, not in controller actions.
Secrets Management
- Never commit secrets to source control — not in
appsettings.json,*.cs,*.yml, or.envfiles. - Development: use
dotnet user-secrets(Secret Manager). - Production: use Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault.
- Connection strings: prefer Managed Identity over username/password.
- API keys: rotate regularly, set expiration, never pass in query strings.
- Add to
.gitignore:appsettings.Development.json,appsettings.Local.json,.env,secrets.json.
Common Anti-Patterns
| Anti-Pattern | Fix |
|---|---|
| HS256 with short symmetric key in config | Use RS256 with asymmetric key from Key Vault |
| Secrets in appsettings.json committed to VCS | Use user-secrets (dev) or Key Vault (prod) |
| [Authorize] without specifying policy | Define explicit policy: [Authorize(Policy = "...")] |
| Checking User.IsInRole("Admin") in action body | Create authorization policy with RequireRole or custom requirement |
| localStorage.setItem("token", jwt) | Use httpOnly cookie or BFF pattern |
| Missing ValidateLifetime = true in JWT config | Always validate token expiration |
| Implicit flow for SPA | Use Authorization Code + PKCE |
| Parsing JWT manually with JwtSecurityTokenHandler | Use ClaimsPrincipal from HttpContext.User |
| Global [Authorize] without [AllowAnonymous] on health/status | Explicitly mark health endpoints as anonymous |
See Also
api-design.md— RESTful conventions, HTTP methods, pagination, error responsesminimal-api.md— Minimal API endpoint organization, handlers, filters, validationblazor.md— Blazor component design, state management, parameters, routingsignalr.md— SignalR hub design, groups, streaming, authorization
Related Skills
klod68/interceptor-pipeline
tools
VerifiedTrustedCommunity
Use when cross-cutting concerns (logging, metrics, validation, authorization) are tangled into command handlers or service methods, when building database command pipelines with reorderable concerns, or when HTTP client pipelines or message handlers need composable, independently-replaceable processing stages. Covers ICommandInterceptor interface, InterceptorPipeline with reverse-chain construction, zero-cost Empty sentinel to skip overhead when no interceptors are registered, and ConfigureAwait(false) discipline for library code. Domain: Architecture, Cross-Cutting Concerns. Level: Intermediate. Tags: interceptor, pipeline, middleware, decorator, cross-cutting-concerns.
1SKILL.mdUpdated Apr 17, 2026
klod68/integration-testing-webapplicationfactory
development
VerifiedTrustedCommunity
Use when writing integration tests for Razor Pages, MVC, or Minimal API applications to validate routing, middleware, page rendering, and HTTP behavior without a browser or live server, or when adding fast smoke tests to a CI pipeline. Covers WebApplicationFactory<Program> setup with public partial class Program, in-memory test server, AngleSharp HTML parsing, CSS selector assertions, redirect and status code testing, and a shared static fixture pattern for minimal per-test startup overhead. Domain: Testing, ASP.NET Core. Level: Intermediate. Tags: integration-testing, webapplicationfactory, razor-pages, anglesharp, http-testing.
1SKILL.mdUpdated Apr 17, 2026
klod68/index-design-strategy
development
VerifiedTrustedCommunity
Use when designing indexes for new tables, diagnosing slow queries that are not using indexes efficiently, reviewing index fragmentation and maintenance, or when the current indexing strategy results in key lookups, table scans, or missing index warnings. Covers clustered index key selection (narrow, unique, ever-increasing), non-clustered index design for query patterns, covering indexes with INCLUDE columns, filtered indexes for subset queries, composite index column ordering, DMV-based monitoring for missing and unused indexes, and rebuild vs reorganize maintenance thresholds. Domain: Database, Performance. Level: Intermediate. Tags: index, sql-server, covering-index, filtered-index, performance, dmv, maintenance.
1SKILL.mdUpdated Apr 17, 2026
klod68/in-memory-search-registry
development
VerifiedTrustedCommunity
Use when building a searchable in-memory catalog or registry for documentation sites, admin panels, or type/API browsers where you need keyword matching, fuzzy search, and ranked results without an external search engine or database. Covers RegistryService with weighted scoring across name, description, keywords, and method names; Levenshtein fuzzy matching; synonym expansion; category and subcategory filtering; and singleton DI registration for datasets of hundreds to low thousands of items. Domain: Search, Data Access Patterns. Level: Intermediate. Tags: search, registry, fuzzy-matching, in-memory, catalog, filtering.
1SKILL.mdUpdated Apr 17, 2026