Authentication & Authorization Fundamentals
Core authentication and authorization concepts overview. This page provides a quick reference and links to detailed guides.
Quick Reference
Authentication vs Authorization
Authentication (AuthN): Who are you?
- Verifying identity
- Credentials: username/password, tokens, biometrics
- Result: User identity established
Authorization (AuthZ): What can you do?
- Verifying permissions
- Access control: roles, permissions, policies
- Result: Access granted or denied
Authentication Methods
Detailed guide: Authentication Methods
Method Comparison
| Method | Stateless | Scalability | Revocation | Mobile | Complexity |
|---|---|---|---|---|---|
| Session | β | ββ | β Instant | ββ | β Low |
| JWT | β | βββββ | β (use short TTL) | βββββ | ββ Medium |
| OAuth 2.0 | β | βββββ | β | βββββ | ββββ High |
| OIDC | β | βββββ | β | βββββ | ββββ High |
| SAML | β | βββ | β | β | βββββ Very High |
Quick Decision Tree
Coverage:
- Session-Based Authentication
- Token-Based (JWT)
- OAuth 2.0
- OpenID Connect (OIDC)
- SAML 2.0
Authorization Models
Detailed guide: Authorization Models
Model Comparison
| Model | Granularity | Complexity | Scalability | Use Case |
|---|---|---|---|---|
| RBAC | Coarse | Low | Good | General web apps |
| ABAC | Fine | High | Excellent | Complex compliance |
| ACL | Fine | Medium | Poor | File systems, documents |
Coverage:
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Access Control Lists (ACL)
- Hybrid approaches
Security Best Practices
Detailed guide: Authentication Security
Essential Security Checklist
1β
Passwords hashed with bcrypt/Argon2 (cost β₯ 12)
2β
HTTPS enforced everywhere
3β
Rate limiting on authentication endpoints
4β
CSRF protection enabled
5β
Secure cookie flags (HttpOnly, Secure, SameSite)
6β
JWT with short expiration + refresh tokens
7β
MFA available for sensitive operations
8β
Authorization checks on every endpoint
9β
Regular security audits
Token Storage Recommendation
| Storage | Security | Recommendation |
|---|---|---|
| LocalStorage | β Vulnerable to XSS | Avoid |
| SessionStorage | β Vulnerable to XSS | Temporary data only |
| HttpOnly Cookie | β Protected | β Best for web |
| Memory only | β Most secure | β SPAs (lost on refresh) |
Coverage:
- Password security (hashing, policies)
- Token storage strategies
- CSRF protection
- Multi-Factor Authentication (MFA)
- JWT vulnerabilities
- Common attack vectors
Common Patterns
Token Refresh Flow
RBAC Structure
Quick Implementation Examples
Session-Based (Express.js)
1const session = require('express-session');
2
3app.use(session({
4 secret: process.env.SESSION_SECRET,
5 resave: false,
6 saveUninitialized: false,
7 cookie: {
8 httpOnly: true,
9 secure: true,
10 sameSite: 'strict',
11 maxAge: 3600000 // 1 hour
12 }
13}));
JWT (Python)
1import jwt
2from datetime import datetime, timedelta
3
4# Create token
5token = jwt.encode({
6 'sub': user_id,
7 'exp': datetime.utcnow() + timedelta(minutes=15),
8 'iat': datetime.utcnow()
9}, secret_key, algorithm='HS256')
10
11# Verify token
12payload = jwt.decode(token, secret_key, algorithms=['HS256'])
RBAC Check
1def has_permission(user, permission):
2 for role in user.roles:
3 if permission in role.permissions:
4 return True
5 return False
6
7# Usage
8if has_permission(current_user, 'delete_post'):
9 delete_post(post_id)
Related Resources
- Authentication Methods - Detailed comparison and implementation
- Authorization Models - RBAC, ABAC, ACL explained
- Authentication Security - Security best practices and vulnerabilities
- OAuth 2.0 Spec
- JWT.io
- OWASP Authentication Cheat Sheet
Related Snippets
- Authentication Methods
Comprehensive guide to authentication methods: sessions, JWT, OAuth 2.0, OIDC, β¦ - Authentication Security Best Practices
Security best practices for authentication: password security, token storage, β¦ - Authorization Models
Authorization models: RBAC, ABAC, and ACL with practical examples. 1. Role-Based β¦