Authentication & Authorization Fundamentals
Core authentication and authorization concepts overview. This page provides a quick reference and links to detailed guides.
Quick Reference
Authentication vs Authorization
Authentication (AuthN): Who are you?
- Verifying identity
- Credentials: username/password, tokens, biometrics
- Result: User identity established
Authorization (AuthZ): What can you do?
- Verifying permissions
- Access control: roles, permissions, policies
- Result: Access granted or denied
Authentication Methods
Detailed guide: Authentication Methods
Method Comparison
| Method | Stateless | Scalability | Revocation | Mobile | Complexity |
|---|---|---|---|---|---|
| Session | ❌ | ⭐⭐ | ✅ Instant | ⭐⭐ | ⭐ Low |
| JWT | ✅ | ⭐⭐⭐⭐⭐ | ❌ (use short TTL) | ⭐⭐⭐⭐⭐ | ⭐⭐ Medium |
| OAuth 2.0 | ✅ | ⭐⭐⭐⭐⭐ | ✅ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ High |
| OIDC | ✅ | ⭐⭐⭐⭐⭐ | ✅ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ High |
| SAML | ✅ | ⭐⭐⭐ | ✅ | ⭐ | ⭐⭐⭐⭐⭐ Very High |
Quick Decision Tree
graph TD
A[Choose Auth Method] --> B{Third-party login?}
B -->|Yes| C[OAuth 2.0 / OIDC]
B -->|No| D{API/Microservices?}
D -->|Yes| E[JWT]
D -->|No| F{Traditional web app?}
F -->|Yes| G[Sessions]
F -->|No| H[Enterprise SSO?]
H -->|Yes| I[SAML / OIDC]
style C fill:#90EE90
style E fill:#90EE90
style G fill:#90EE90
style I fill:#90EE90Coverage:
- Session-Based Authentication
- Token-Based (JWT)
- OAuth 2.0
- OpenID Connect (OIDC)
- SAML 2.0
Authorization Models
Detailed guide: Authorization Models
Model Comparison
| Model | Granularity | Complexity | Scalability | Use Case |
|---|---|---|---|---|
| RBAC | Coarse | Low | Good | General web apps |
| ABAC | Fine | High | Excellent | Complex compliance |
| ACL | Fine | Medium | Poor | File systems, documents |
Coverage:
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Access Control Lists (ACL)
- Hybrid approaches
Security Best Practices
Detailed guide: Authentication Security
Essential Security Checklist
1✅ Passwords hashed with bcrypt/Argon2 (cost ≥ 12)
2✅ HTTPS enforced everywhere
3✅ Rate limiting on authentication endpoints
4✅ CSRF protection enabled
5✅ Secure cookie flags (HttpOnly, Secure, SameSite)
6✅ JWT with short expiration + refresh tokens
7✅ MFA available for sensitive operations
8✅ Authorization checks on every endpoint
9✅ Regular security audits
Token Storage Recommendation
| Storage | Security | Recommendation |
|---|---|---|
| LocalStorage | ❌ Vulnerable to XSS | Avoid |
| SessionStorage | ❌ Vulnerable to XSS | Temporary data only |
| HttpOnly Cookie | ✅ Protected | ✅ Best for web |
| Memory only | ✅ Most secure | ✅ SPAs (lost on refresh) |
Coverage:
- Password security (hashing, policies)
- Token storage strategies
- CSRF protection
- Multi-Factor Authentication (MFA)
- JWT vulnerabilities
- Common attack vectors
Common Patterns
Token Refresh Flow
graph LR
A[Login] --> B[Access Token 15min]
A --> C[Refresh Token 7d]
B --> D{Token Expired?}
D -->|Yes| E[Use Refresh Token]
E --> F[New Access Token]
D -->|No| G[Continue Using]
style B fill:#FFE4B5
style C fill:#98FB98
style F fill:#FFE4B5RBAC Structure
graph LR
User --> Role1[Role: Editor]
User --> Role2[Role: Admin]
Role1 --> P1[create_post]
Role1 --> P2[edit_post]
Role2 --> P3[delete_user]
Role2 --> P4[manage_roles]
style User fill:#E1F5FF
style Role1 fill:#FFF4E1
style Role2 fill:#FFF4E1Quick Implementation Examples
Session-Based (Express.js)
1const session = require('express-session');
2
3app.use(session({
4 secret: process.env.SESSION_SECRET,
5 resave: false,
6 saveUninitialized: false,
7 cookie: {
8 httpOnly: true,
9 secure: true,
10 sameSite: 'strict',
11 maxAge: 3600000 // 1 hour
12 }
13}));
JWT (Python)
1import jwt
2from datetime import datetime, timedelta
3
4# Create token
5token = jwt.encode({
6 'sub': user_id,
7 'exp': datetime.utcnow() + timedelta(minutes=15),
8 'iat': datetime.utcnow()
9}, secret_key, algorithm='HS256')
10
11# Verify token
12payload = jwt.decode(token, secret_key, algorithms=['HS256'])
RBAC Check
1def has_permission(user, permission):
2 for role in user.roles:
3 if permission in role.permissions:
4 return True
5 return False
6
7# Usage
8if has_permission(current_user, 'delete_post'):
9 delete_post(post_id)
Related Resources
- Authentication Methods - Detailed comparison and implementation
- Authorization Models - RBAC, ABAC, ACL explained
- Authentication Security - Security best practices and vulnerabilities
- OAuth 2.0 Spec
- JWT.io
- OWASP Authentication Cheat Sheet
Related Snippets
- Authentication Methods
Comprehensive guide to authentication methods: sessions, JWT, OAuth 2.0, OIDC, … - Authentication Security Best Practices
Security best practices for authentication: password security, token storage, … - Authorization Models
Authorization models: RBAC, ABAC, and ACL with practical examples. 1. Role-Based …