Authentication & Authorization#

Implement secure auth in your applications.

Authentication Methods#

Method	Use Case	Security Level
Session/Cookie	Server-rendered apps	High (HTTP-only, secure flags)
JWT	APIs, SPAs	Medium (stateless, revocable with blacklist)
OAuth2	Third-party login	High (delegate to providers)
SAML	Enterprise SSO	High (enterprise identity)
WebAuthn	Passwordless	Very high (biometric, hardware keys)

JWT Best Practices#

Short expiry (15 min access, 7 day refresh)
Store refresh tokens in HTTP-only cookies (not localStorage)
Use RS256 (asymmetric) not HS256 in microservices
Include minimal claims (sub, exp, iat, scope)
Always validate signature + expiry + audience

Authorization Models#

RBAC (Role-Based)#

{
  "roles": ["admin", "editor", "viewer"],
  "permissions": {
    "admin": ["read:*", "write:*", "delete:*"],
    "editor": ["read:*", "write:*"],
    "viewer": ["read:*"]
  }
}

ABAC (Attribute-Based)#

Policy engine evaluates: user attributes + resource attributes + environment "Allow access if user.department == resource.department AND user.clearance >= resource.classification"

MFA Implementation#

TOTP (Google Authenticator) — standard
SMS — least secure, avoid if possible
Push notification — good UX
Hardware keys (WebAuthn) — most secure

Enforcement#

Require MFA for admin actions
Require MFA on new device login
Remember device with a trust token (30 days max)
Rate-limit MFA attempts

Session Management#

Rotate session ID on login
Invalidate on password change
Show active sessions to user (allow remote logout)
Absolute session timeout (24h) + idle timeout (2h)
Log all auth events (login, logout, failure, MFA)

Authentication & Authorization