What is oauth-integrations?

Ideal for Edge Environment Agents requiring secure GitHub and Microsoft OAuth integrations oauth-integrations is a skill that implements OAuth authentication protocols for edge environments, supporting GitHub and Microsoft OAuth in Cloudflare Workers and other edge runtimes.

How do I install oauth-integrations?

Run the command: npx killer-skills add dennislee928/Smart_Zone. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for oauth-integrations?

Key use cases include: Implementing GitHub OAuth in Cloudflare Workers, Authenticating Microsoft APIs in edge runtimes, Securing API requests with required headers.

Which IDEs are compatible with oauth-integrations?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for oauth-integrations?

Requires specific header configurations. Limited to GitHub and Microsoft OAuth providers. Edge environment compatibility required.

oauth-integrations

Install oauth-integrations, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md

Readonly

OAuth Integrations for Edge Environments

Name: oauth-integrations
Availability: InStock
Author: dennislee928

Implement GitHub and Microsoft OAuth in Cloudflare Workers and other edge runtimes.

GitHub OAuth

Required Headers

GitHub API has strict requirements that differ from other providers.

Header	Requirement
`User-Agent`	REQUIRED - Returns 403 without it
`Accept`	`application/vnd.github+json` recommended

typescript
1const resp = await fetch('https://api.github.com/user', {
2  headers: {
3    Authorization: `Bearer ${accessToken}`,
4    'User-Agent': 'MyApp/1.0',  // Required!
5    'Accept': 'application/vnd.github+json',
6  },
7});

Private Email Handling

GitHub users can set email to private (/user returns email: null).

typescript
1if (!userData.email) {
2  const emails = await fetch('https://api.github.com/user/emails', { headers })
3    .then(r => r.json());
4  userData.email = emails.find(e => e.primary && e.verified)?.email;
5}

Requires user:email scope.

Token Exchange

Token exchange returns form-encoded by default. Add Accept header for JSON:

typescript
1const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/x-www-form-urlencoded',
5    'Accept': 'application/json',  // Get JSON response
6  },
7  body: new URLSearchParams({ code, client_id, client_secret, redirect_uri }),
8});

GitHub OAuth Notes

Issue	Solution
Callback URL	Must be EXACT - no wildcards, no subdirectory matching
Token exchange returns form-encoded	Add `'Accept': 'application/json'` header
Tokens don't expire	No refresh flow needed, but revoked = full re-auth

Microsoft Entra (Azure AD) OAuth

Why MSAL Doesn't Work in Workers

MSAL.js depends on:

Browser APIs (localStorage, sessionStorage, DOM)
Node.js crypto module

Cloudflare's V8 isolate runtime has neither. Use manual OAuth instead:

Manual OAuth URL construction
Direct token exchange via fetch
JWT validation with jose library

Required Scopes

typescript
1// For user identity (email, name, profile picture)
2const scope = 'openid email profile User.Read';
3
4// For refresh tokens (long-lived sessions)
5const scope = 'openid email profile User.Read offline_access';

Critical: User.Read is required for Microsoft Graph /me endpoint. Without it, token exchange succeeds but user info fetch returns 403.

User Info Endpoint

typescript
1// Microsoft Graph /me endpoint
2const resp = await fetch('https://graph.microsoft.com/v1.0/me', {
3  headers: { Authorization: `Bearer ${accessToken}` },
4});
5
6// Email may be in different fields
7const email = data.mail || data.userPrincipalName;

Tenant Configuration

Tenant Value	Who Can Sign In
`common`	Any Microsoft account (personal + work)
`organizations`	Work/school accounts only
`consumers`	Personal Microsoft accounts only
`{tenant-id}`	Specific organization only

Azure Portal Setup

App Registration → New registration
Platform: Web (not SPA) for server-side OAuth
Redirect URIs: Add both /callback and /admin/callback
Certificates & secrets → New client secret

Token Lifetimes

Token Type	Default Lifetime	Notes
Access token	60-90 minutes	Configurable via token lifetime policies
Refresh token	90 days	Revoked on password change
ID token	60 minutes	Same as access token

Best Practice: Always request offline_access scope and implement refresh token flow for sessions longer than 1 hour.

Common Corrections

If Claude suggests...	Use instead...
GitHub fetch without User-Agent	Add `'User-Agent': 'AppName/1.0'` (REQUIRED)
Using MSAL.js in Workers	Manual OAuth + jose for JWT validation
Microsoft scope without User.Read	Add `User.Read` scope
Fetching email from token claims only	Use Graph `/me` endpoint

Error Reference

GitHub Errors

Error	Cause	Fix
403 Forbidden	Missing User-Agent header	Add User-Agent header
`email: null`	User has private email	Fetch `/user/emails` with `user:email` scope

Microsoft Errors

Error	Cause	Fix
AADSTS50058	Silent auth failed	Use interactive flow
AADSTS700084	Refresh token expired	Re-authenticate user
403 on Graph /me	Missing User.Read scope	Add User.Read to scopes

Reference

GitHub API: https://docs.github.com/en/rest
GitHub OAuth: https://docs.github.com/en/apps/oauth-apps
Microsoft Graph permissions: https://learn.microsoft.com/en-us/graph/permissions-reference
AADSTS error codes: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

About this Skill

Features

# Core Topics

Agent Capability Analysis

Ideal Agent Persona

Core Value

↓ Capabilities Granted for oauth-integrations

! Prerequisites & Limits

Browser Sandbox Environment

⚡️ Ready to unleash?