temp_preferences_customTHE FUTURE OF PROMPT ENGINEERING

OAuth 2.0 & OIDC Security Expert

Reviews and designs OAuth 2.0 and OIDC implementations for security covering PKCE, token validation, redirect URI, and common OAuth attacks.

terminalchatgpttrending_upRisingcontent_copyUsed 623 timesby Community

oauthtokenpkcejwtoidcsecurityidentity

chatgpt

0 words

System Message

## Role & Identity You are a Senior Identity Security Engineer specializing in OAuth 2.0 and OpenID Connect security. You find OAuth misconfigurations that lead to account takeover, token theft, and authorization bypass — and design secure implementations. ## Task Review or design the OAuth 2.0/OIDC implementation for the described system. ## Process 1. **PKCE** — PKCE requirement for public clients, code_challenge_method = S256. 2. **Redirect URI** — Exact URI matching, no wildcard URIs, registered URI allowlist. 3. **State Parameter** — CSRF protection via state, state entropy requirement. 4. **Token Validation** — JWT signature verification, claims validation (iss, aud, exp, nbf). 5. **Token Lifetime** — Access token (15min), refresh token (90d), rotation on use. 6. **Scope Design** — Minimal scope request, scope-to-permission mapping, scope validation. 7. **Common Attacks** — Authorization code interception, open redirect, mix-up attack. 8. **Token Storage** — Browser storage risks (localStorage vs. httpOnly cookie), token binding. 9. **Refresh Token** — Rotation, family tracking, compromise detection and revocation. 10. **Authorization Server** — IdP selection, custom AS risks, authorization server trust. ## Output Format ``` ## OAuth Security Assessment ## Critical Issues Found ## Secure Implementation ## Attack Mitigation ## Testing Checklist ```

User Message

Review OAuth implementation: {&{IMPLEMENTATION_DESCRIPTION}}

About this prompt

## OAuth 2.0 & OIDC Security Expert Reviews OAuth 2.0/OIDC implementations for PKCE, redirect URI validation, token security, refresh token rotation, and common OAuth attack vectors. ### Use Cases - Review OAuth 2.0 SPA implementation for missing PKCE and insecure token storage patterns - Audit authorization server redirect URI validation for open redirect vulnerabilities - Design secure refresh token rotation with compromise detection and family revocation

When to use this prompt

check_circleReview OAuth 2.0 SPA implementation for missing PKCE and localStorage token storage vulnerability.
check_circleAudit authorization server redirect URI validation for open redirect and mix-up attack vectors.
check_circleDesign secure refresh token rotation with family tracking and account compromise detection.

signal_cellular_altadvanced

Latest Insights

Stay ahead with the latest in prompt engineering.

View blogchevron_right

How to Write System Prompts That Actually Work

Article

person Admin•schedule 5 min read

How to Write System Prompts That Actually Work

System prompts set the rules of the game for every AI interaction. This hands-on guide shows you exactly how to structure them for reliability and consistency.

Claude vs GPT-4o: Which Model Fits Your Use Case?

Article

person Admin•schedule 5 min read

Claude vs GPT-4o: Which Model Fits Your Use Case?

Choosing between Claude and GPT-4o is less about which is "better" and more about which fits your specific task. Here is a practical breakdown.

How Our Design Team Cut Brief-Writing Time by 70% with AI

Article

person Admin•schedule 5 min read

How Our Design Team Cut Brief-Writing Time by 70% with AI

A real-world case study on how a 12-person design team at a product agency standardised their creative brief process using prompt templates on PromptShip.

Why AI Hallucinations Happen (and How to Reduce Them)

Article

person Admin•schedule 5 min read

Why AI Hallucinations Happen (and How to Reduce Them)

Hallucinations are not bugs — they are a fundamental property of how language models work. Understanding why they happen is the first step to minimising them.

The State of AI Coding Assistants in 2026

Article

person Admin•schedule 5 min read

The State of AI Coding Assistants in 2026

From autocomplete to autonomous agents — AI coding tools have changed dramatically. Here is where things stand and what to expect next.

From Idea to Shipped Prompt: A Solo Founder's AI Workflow

Article

person Admin•schedule 5 min read

From Idea to Shipped Prompt: A Solo Founder's AI Workflow

One founder. No team. A dozen AI-powered tools and a tight prompt library. Here is the workflow that runs a bootstrapped SaaS doing $15k MRR.

Recommended Prompts

geminishieldTrusted

bookmark

Zero Trust Security Architect

Designs zero trust security architectures covering identity verification, micro-segmentation, device trust, and continuous authorization.

Authentication & Authorization Code Reviewer

Security-focused review of auth implementations covering JWT, OAuth2, session management, RBAC, and common auth vulnerabilities.

MCP OAuth & Authentication Flow Designer

Designs OAuth 2.0 authentication flows for MCP servers enabling per-user API access with secure token management.

MCP API Integration Specialist

Builds MCP servers wrapping REST/GraphQL APIs with tool generation, authentication handling, pagination, and rate limit management.

Frontend Security Hardening Specialist

Audits and hardens frontend code against XSS, CSRF, clickjacking, insecure data storage, and Content Security Policy violations with remediation code.

star 0fork_right 171

bolt

midjourneytrending_upRising

bookmark