Authentication & Authorization Fundamentals

Core authentication and authorization concepts overview. This page provides a quick reference and links to detailed guides.

Quick Reference

Authentication vs Authorization

Authentication (AuthN): Who are you?

  • Verifying identity
  • Credentials: username/password, tokens, biometrics
  • Result: User identity established

Authorization (AuthZ): What can you do?

  • Verifying permissions
  • Access control: roles, permissions, policies
  • Result: Access granted or denied

Authentication Methods

Detailed guide: Authentication Methods

Method Comparison

MethodStatelessScalabilityRevocationMobileComplexity
Session⭐⭐✅ Instant⭐⭐⭐ Low
JWT⭐⭐⭐⭐⭐❌ (use short TTL)⭐⭐⭐⭐⭐⭐⭐ Medium
OAuth 2.0⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ High
OIDC⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐ High
SAML⭐⭐⭐⭐⭐⭐⭐⭐ Very High

Quick Decision Tree

graph TD
    A[Choose Auth Method] --> B{Third-party login?}
    B -->|Yes| C[OAuth 2.0 / OIDC]
    B -->|No| D{API/Microservices?}
    D -->|Yes| E[JWT]
    D -->|No| F{Traditional web app?}
    F -->|Yes| G[Sessions]
    F -->|No| H[Enterprise SSO?]
    H -->|Yes| I[SAML / OIDC]
    
    style C fill:#90EE90
    style E fill:#90EE90
    style G fill:#90EE90
    style I fill:#90EE90

Coverage:

  • Session-Based Authentication
  • Token-Based (JWT)
  • OAuth 2.0
  • OpenID Connect (OIDC)
  • SAML 2.0

Authorization Models

Detailed guide: Authorization Models

Model Comparison

ModelGranularityComplexityScalabilityUse Case
RBACCoarseLowGoodGeneral web apps
ABACFineHighExcellentComplex compliance
ACLFineMediumPoorFile systems, documents

Coverage:

  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Access Control Lists (ACL)
  • Hybrid approaches

Security Best Practices

Detailed guide: Authentication Security

Essential Security Checklist

1✅ Passwords hashed with bcrypt/Argon2 (cost ≥ 12)
2✅ HTTPS enforced everywhere
3✅ Rate limiting on authentication endpoints
4✅ CSRF protection enabled
5✅ Secure cookie flags (HttpOnly, Secure, SameSite)
6✅ JWT with short expiration + refresh tokens
7✅ MFA available for sensitive operations
8✅ Authorization checks on every endpoint
9✅ Regular security audits

Token Storage Recommendation

StorageSecurityRecommendation
LocalStorage❌ Vulnerable to XSSAvoid
SessionStorage❌ Vulnerable to XSSTemporary data only
HttpOnly Cookie✅ Protected✅ Best for web
Memory only✅ Most secure✅ SPAs (lost on refresh)

Coverage:

  • Password security (hashing, policies)
  • Token storage strategies
  • CSRF protection
  • Multi-Factor Authentication (MFA)
  • JWT vulnerabilities
  • Common attack vectors

Common Patterns

Token Refresh Flow

graph LR
    A[Login] --> B[Access Token 15min]
    A --> C[Refresh Token 7d]
    B --> D{Token Expired?}
    D -->|Yes| E[Use Refresh Token]
    E --> F[New Access Token]
    D -->|No| G[Continue Using]
    
    style B fill:#FFE4B5
    style C fill:#98FB98
    style F fill:#FFE4B5

RBAC Structure

graph LR
    User --> Role1[Role: Editor]
    User --> Role2[Role: Admin]
    Role1 --> P1[create_post]
    Role1 --> P2[edit_post]
    Role2 --> P3[delete_user]
    Role2 --> P4[manage_roles]
    
    style User fill:#E1F5FF
    style Role1 fill:#FFF4E1
    style Role2 fill:#FFF4E1

Quick Implementation Examples

Session-Based (Express.js)

 1const session = require('express-session');
 2
 3app.use(session({
 4    secret: process.env.SESSION_SECRET,
 5    resave: false,
 6    saveUninitialized: false,
 7    cookie: {
 8        httpOnly: true,
 9        secure: true,
10        sameSite: 'strict',
11        maxAge: 3600000 // 1 hour
12    }
13}));

JWT (Python)

 1import jwt
 2from datetime import datetime, timedelta
 3
 4# Create token
 5token = jwt.encode({
 6    'sub': user_id,
 7    'exp': datetime.utcnow() + timedelta(minutes=15),
 8    'iat': datetime.utcnow()
 9}, secret_key, algorithm='HS256')
10
11# Verify token
12payload = jwt.decode(token, secret_key, algorithms=['HS256'])

RBAC Check

1def has_permission(user, permission):
2    for role in user.roles:
3        if permission in role.permissions:
4            return True
5    return False
6
7# Usage
8if has_permission(current_user, 'delete_post'):
9    delete_post(post_id)

Related Snippets