Mercury SkillsMercury Skills

Authentication & Authorization

JWT, OAuth2, SAML, session management, RBAC, ABAC, and MFA implementation

View source45 downloads
authenticationauthorizationsecurityjwtoauthrbac

Authentication & Authorization#

Implement secure auth in your applications.

Authentication Methods#

MethodUse CaseSecurity Level
Session/CookieServer-rendered appsHigh (HTTP-only, secure flags)
JWTAPIs, SPAsMedium (stateless, revocable with blacklist)
OAuth2Third-party loginHigh (delegate to providers)
SAMLEnterprise SSOHigh (enterprise identity)
WebAuthnPasswordlessVery high (biometric, hardware keys)

JWT Best Practices#

  • Short expiry (15 min access, 7 day refresh)
  • Store refresh tokens in HTTP-only cookies (not localStorage)
  • Use RS256 (asymmetric) not HS256 in microservices
  • Include minimal claims (sub, exp, iat, scope)
  • Always validate signature + expiry + audience

Authorization Models#

RBAC (Role-Based)#

{
  "roles": ["admin", "editor", "viewer"],
  "permissions": {
    "admin": ["read:*", "write:*", "delete:*"],
    "editor": ["read:*", "write:*"],
    "viewer": ["read:*"]
  }
}

ABAC (Attribute-Based)#

Policy engine evaluates: user attributes + resource attributes + environment "Allow access if user.department == resource.department AND user.clearance >= resource.classification"

MFA Implementation#

  • TOTP (Google Authenticator) — standard
  • SMS — least secure, avoid if possible
  • Push notification — good UX
  • Hardware keys (WebAuthn) — most secure

Enforcement#

  • Require MFA for admin actions
  • Require MFA on new device login
  • Remember device with a trust token (30 days max)
  • Rate-limit MFA attempts

Session Management#

  • Rotate session ID on login
  • Invalidate on password change
  • Show active sessions to user (allow remote logout)
  • Absolute session timeout (24h) + idle timeout (2h)
  • Log all auth events (login, logout, failure, MFA)

More in Backend

View all →

Secure Coding Skill

Comprehensive secure coding practices covering input validation, authentication, authorization, cryptography, secrets management, and error handling. Provides actionable code examples and checklists for building security into every stage of development.

secure-codinginput-validationauthentication

API Design

REST and GraphQL API design principles, versioning, error handling, and documentation patterns

apirestgraphql

Caching Strategies

CDN, Redis, in-memory cache, cache invalidation, and distributed caching patterns

cachingperformanceredis