Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews ASP.NET Core authentication and authorization boundaries including JWT validation, cookie security, policy-based authorization, and multi-tenant isolation. Useful for pre-merge security reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:dotnet-aspnetcore-identity-authz-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill reviews how an ASP.NET Core application authenticates and authorizes requests — the boundary that decides who a caller is and what they may do. An auth boundary is only sound if tokens are fully validated, state-changing endpoints are not anonymous, tenant and organization identity is verified server-side against the authenticated principal rather than trusted from client input, cook...
This skill reviews how an ASP.NET Core application authenticates and authorizes requests — the boundary that decides who a caller is and what they may do. An auth boundary is only sound if tokens are fully validated, state-changing endpoints are not anonymous, tenant and organization identity is verified server-side against the authenticated principal rather than trusted from client input, cookies carry the right security flags, authorization on owned resources checks ownership and not just role, and negative tests prove that unauthorized requests are actually rejected. The review catches disabled token validation, anonymous mutating endpoints, client-supplied tenant claims, weak cookie flags, role-only authorization on owned resources, missing negative tests, and hand-rolled token validation. It reads source and sanitized configuration only — it never runs the application, mints or inspects tokens, or contacts an identity provider. Generic middleware order is out of scope (the API agent owns that), and EF Core query-level tenant filters are out of scope (the EF Core agent owns those).
Program.cs, JWT bearer or cookie configuration, authorization policies, authorization handlers, controller [Authorize] attributes) or sanitized configuration.ValidateIssuer, ValidateAudience, ValidateIssuerSigningKey, or ValidateLifetime set to false — or RequireHttpsMetadata = false outside loopback — as CRITICAL: token validation is disabled and forged or expired tokens are accepted.[AllowAnonymous] on any state-changing endpoint (POST/PUT/PATCH/DELETE or a mutating handler) as CRITICAL — the operation runs with no authenticated caller.Secure, HttpOnly, or an appropriate SameSite as HIGH.[AllowAnonymous], disabling validation, weakening cookie flags, or broad role grants to "unblock" a flow; never recommend disabling a failing gate as the fix.confirmed (config provided), inference (config partial), assumption (config absent), or unknown.Load these only when needed:
Return, at minimum:
npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticImplements authentication and authorization in ASP.NET Core: JWT bearer tokens, OpenID Connect, ASP.NET Identity, policy-based authorization, roles, claims, and API key auth.
Analyzes auth mechanisms (passwords/sessions/JWT/OAuth/MFA) and authz patterns (RBAC/ABAC/ACL) for vulnerabilities like bypasses, hijacking, broken access control; reports with OWASP/NIST remediation.
Analyzes authentication and authorization patterns (OAuth2, JWT, RBAC/ABAC, MFA), audits security posture against OWASP, and recommends improvements for token lifecycle, permission models, and multi-factor authentication.