By name: authentication-authorization description: 'JWT, OAuth2, SAML, session management, RBAC, ABAC, and MFA implementation' metadata: author: cosmicstack-labs version: 1.0.0 category: backend tags: [authentication, authorization, security, jwt, oauth, rbac]
Authentication & Authorization
Implement secure auth in your applications.
Authentication Methods
| Method | Use Case | Security Level |
|---|---|---|
| Session/Cookie | Server-rendered apps | High (HTTP-only, secure flags) |
| JWT | APIs, SPAs | Medium (stateless, revocable with blacklist) |
| OAuth2 | Third-party login | High (delegate to providers) |
| SAML | Enterprise SSO | High (enterprise identity) |
| WebAuthn | Passwordless | Very high (biometric, hardware keys) |
JWT Best Practices
- Short expiry (15 min access, 7 day refresh)
- Store refresh tokens in HTTP-only cookies (not localStorage)
- Use RS256 (asymmetric) not HS256 in microservices
- Include minimal claims (sub, exp, iat, scope)
- Always validate signature + expiry + audience
Authorization Models
RBAC (Role-Based)
{
"roles": ["admin", "editor", "viewer"],
"permissions": {
"admin": ["read:*", "write:*", "delete:*"],
"editor": ["read:*", "write:*"],
"viewer": ["read:*"]
}
}
ABAC (Attribute-Based)
Policy engine evaluates: user attributes + resource attributes + environment "Allow access if user.department == resource.department AND user.clearance >= resource.classification"
MFA Implementation
- TOTP (Google Authenticator) — standard
- SMS — least secure, avoid if possible
- Push notification — good UX
- Hardware keys (WebAuthn) — most secure
Enforcement
- Require MFA for admin actions
- Require MFA on new device login
- Remember device with a trust token (30 days max)
- Rate-limit MFA attempts
Session Management
- Rotate session ID on login
- Invalidate on password change
- Show active sessions to user (allow remote logout)
- Absolute session timeout (24h) + idle timeout (2h)
- Log all auth events (login, logout, failure, MFA)