Authentication & Authorization Patterns
Modern authentication and authorization patterns for web, mobile, and API applications.
Authentication Methods
OAuth 2.0
- •Standard for third-party integrations
- •Flows: Authorization Code, Implicit, Client Credentials, Resource Owner Password
- •Popular providers: Google, GitHub, Facebook, Microsoft
OpenID Connect (OIDC)
- •Identity layer on top of OAuth 2.0
- •Provides user information and authentication assurance
JWT (JSON Web Tokens)
- •Stateless token-based authentication
- •Encrypted claims with signature
- •Used for APIs and microservices
Session-Based
- •Traditional server-side session management
- •Better for server-rendered applications
- •Requires careful CSRF protection
Passwordless
- •Magic links via email
- •WebAuthn/FIDO2
- •Biometric authentication
Authorization Patterns
RBAC (Role-Based Access Control)
- •User assigned to roles
- •Roles have permissions
- •Simple to implement and understand
ABAC (Attribute-Based Access Control)
- •Fine-grained permissions based on attributes
- •More flexible but complex
- •Good for complex permission requirements
PBAC (Policy-Based Access Control)
- •Permission as code (AWS IAM, Terraform)
- •Highly flexible and auditable
- •Supports delegation
Security Best Practices
- •Never store passwords - Use bcrypt, scrypt, or Argon2
- •Use HTTPS only - All auth traffic encrypted
- •Secure token storage - HTTPOnly cookies for web
- •Token rotation - Regular refresh token rotation
- •MFA/2FA - Multi-factor authentication
- •Audit logging - Track all auth events
- •Rate limiting - Prevent brute force attacks
- •CORS properly - Restrict cross-origin access
Common Architecture
code
Client → Auth Provider (OAuth/JWT) → API Client → Session Store ← API
References
- •OAuth 2.0 Specification (RFC 6749)
- •OpenID Connect Core
- •JWT (RFC 7519)
- •OWASP Authentication Cheat Sheet
- •WebAuthn / FIDO2 Specification