Authentication & Authorization Patterns
Modern authentication and authorization patterns for web, mobile, and API applications.
Authentication Methods
OAuth 2.0
- Standard for third-party integrations
- Flows: Authorization Code, Implicit, Client Credentials, Resource Owner Password
- Popular providers: Google, GitHub, Facebook, Microsoft
OpenID Connect (OIDC)
- Identity layer on top of OAuth 2.0
- Provides user information and authentication assurance
JWT (JSON Web Tokens)
- Stateless token-based authentication
- Encrypted claims with signature
- Used for APIs and microservices
Session-Based
- Traditional server-side session management
- Better for server-rendered applications
- Requires careful CSRF protection
Passwordless
- Magic links via email
- WebAuthn/FIDO2
- Biometric authentication
Authorization Patterns
RBAC (Role-Based Access Control)
- User assigned to roles
- Roles have permissions
- Simple to implement and understand
ABAC (Attribute-Based Access Control)
- Fine-grained permissions based on attributes
- More flexible but complex
- Good for complex permission requirements
PBAC (Policy-Based Access Control)
- Permission as code (AWS IAM, Terraform)
- Highly flexible and auditable
- Supports delegation
Security Best Practices
- Never store passwords - Use bcrypt, scrypt, or Argon2
- Use HTTPS only - All auth traffic encrypted
- Secure token storage - HTTPOnly cookies for web
- Token rotation - Regular refresh token rotation
- MFA/2FA - Multi-factor authentication
- Audit logging - Track all auth events
- Rate limiting - Prevent brute force attacks
- CORS properly - Restrict cross-origin access
Common Architecture
Client → Auth Provider (OAuth/JWT) → API
Client → Session Store ← API
References
- OAuth 2.0 Specification (RFC 6749)
- OpenID Connect Core
- JWT (RFC 7519)
- OWASP Authentication Cheat Sheet
- WebAuthn / FIDO2 Specification