competition-oauth-oidc-chain
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition OAuth OIDC Chain
竞赛场景OAuth OIDC链路
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the hard part is proving how an OAuth or OIDC flow is shaped, exchanged, and ultimately accepted.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当已激活并完成沙箱假设、节点归属确定和证据优先级设置后,才可以作为下游专项skill使用本工具。如果还未满足上述前置条件,请先返回执行。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当核心问题是验证OAuth或OIDC流程的结构、交换过程以及最终被认可的逻辑时使用本skill。
除非用户明确要求英文回复,否则请使用简体中文回复。
Quick Start
快速开始
- Map the auth chain in order: entry route, redirect, authorize request, callback, token exchange, refresh, and final accepting service.
- Record scopes, state, nonce, PKCE material, redirect URIs, and claim-bearing tokens before mutating anything.
- Separate token possession from actual identity acceptance.
- Keep browser-visible redirects and backend-visible token exchange in one compact chain.
- Reproduce the smallest redirect-to-acceptance flow that proves the decisive identity edge.
- 按顺序梳理认证链路:入口路由、重定向、授权请求、回调、令牌交换、刷新、最终接收服务。
- 在修改任何内容前,先记录scope、state、nonce、PKCE相关信息、重定向URI、携带claim的令牌。
- 区分令牌持有与实际身份认可两个环节。
- 将浏览器可见的重定向和后端可见的令牌交换整合到一个紧凑的链路中。
- 复现最小的「重定向到身份认可」流程,证明决定性的身份边界。
Workflow
工作流
1. Map The Redirect And Token Path
1. 梳理重定向与令牌路径
- Record issuer, client ID, redirect URI, authorize parameters, callback parameters, token endpoint, and refresh path.
- Note which values are user-controlled, derived, cached, or validated: ,
state, PKCE verifier, audience, scope, or prompt.nonce - Keep browser redirects, server-side exchanges, and resulting session state tied together.
- 记录发行方(issuer)、客户端ID、重定向URI、授权参数、回调参数、令牌端点、刷新路径。
- 标注哪些值是用户可控的、派生的、缓存的或经过验证的:、
state、PKCE验证器、受众(audience)、scope、提示(prompt)。nonce - 关联浏览器重定向、服务端交换以及最终生成的会话状态。
2. Prove Token-To-Identity Acceptance
2. 验证令牌到身份的认可逻辑
- Show how code, ID token, access token, or refresh token turns into app session, claims mapping, tenant selection, or accepted privilege.
- Record token claims, expiration, audience, subject, scopes, and the exact accepting app or backend edge.
- Distinguish UI login success from backend authorization success.
- 说明code、ID令牌、访问令牌或刷新令牌如何转换为应用会话、claim映射、租户选择或被认可的权限。
- 记录令牌claim、过期时间、受众、主体(subject)、scope,以及确切的接收应用或后端边界。
- 区分UI登录成功与后端授权成功。
3. Reduce To The Decisive OAuth Chain
3. 提炼核心OAuth链路
- Compress the result to the smallest sequence: entry request -> redirect -> callback -> token or claim acceptance -> resulting capability.
- Keep one canonical good flow and one minimal mutated flow if a parameter change matters.
- If the task broadens into generic web routing or storage behavior outside the auth chain, switch back to the broader web-runtime skill.
- 将结果压缩为最小序列:入口请求 -> 重定向 -> 回调 -> 令牌/claim认可 -> 最终能力。
- 如果参数变更会产生影响,请保留一条标准合法流程和一条最小变更流程。
- 如果任务扩展到认证链路之外的通用web路由或存储行为,请切回更通用的web-runtime skill。
Read This Reference
参考文档
- Load for the redirect checklist, token checklist, and evidence packaging.
references/oauth-oidc-chain.md - If the hard part is JWT header parsing, claim normalization, key lookup, or token validation confusion after issuance, prefer .
$competition-jwt-claim-confusion
- 加载查看重定向检查清单、令牌检查清单和证据打包规范。
references/oauth-oidc-chain.md - 如果核心问题是JWT头部解析、claim标准化、密钥查询或令牌颁发后的验证混淆问题,请优先使用。
$competition-jwt-claim-confusion
What To Preserve
需要留存的内容
- Redirect URIs, parameters, codes, token claims, scopes, and the accepting service or callback
- The exact point where claims or tokens become accepted app identity
- One minimal replayable redirect-to-acceptance sequence
- 重定向URI、参数、code、令牌claim、scope,以及接收服务或回调
- claim或令牌被认可为应用身份的确切节点
- 一条最小可复现的「重定向到身份认可」序列