Authentication Patterns

Implement secure authentication with OAuth 2.1, Passkeys, and modern security standards.

When to Use

• Login/signup flows
• JWT token management
• Session security
• OAuth 2.1 with PKCE
• Passkeys/WebAuthn
• Multi-factor authentication
• Role-based access control

Quick Reference

Password Hashing (Argon2id)

from argon2 import PasswordHasher
ph = PasswordHasher()
password_hash = ph.hash(password)
ph.verify(password_hash, password)

JWT Access Token

import jwt
payload = {
    'user_id': user_id,
    'type': 'access',
    'exp': datetime.utcnow() + timedelta(minutes=15),
}
token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')

OAuth 2.1 with PKCE (Required)

import hashlib, base64, secrets
code_verifier = secrets.token_urlsafe(64)
digest = hashlib.sha256(code_verifier.encode()).digest()
code_challenge = base64.urlsafe_b64encode(digest).rstrip(b'=').decode()

Session Security

app.config['SESSION_COOKIE_SECURE'] = True      # HTTPS only
app.config['SESSION_COOKIE_HTTPONLY'] = True    # No JS access
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'

Token Expiry (2026 Guidelines)

Token Type	Expiry	Storage
Access	15 min - 1 hour	Memory only
Refresh	7-30 days	HTTPOnly cookie

Anti-Patterns (FORBIDDEN)

# ❌ NEVER store passwords in plaintext
user.password = request.form['password']

# ❌ NEVER use implicit OAuth grant
response_type=token  # Deprecated in OAuth 2.1

# ❌ NEVER skip rate limiting on login
@app.route('/login')  # No rate limit!

# ❌ NEVER reveal if email exists
return "Email not found"  # Information disclosure

# ✅ ALWAYS use Argon2id or bcrypt
password_hash = ph.hash(password)

# ✅ ALWAYS use PKCE
code_challenge=challenge&code_challenge_method=S256

# ✅ ALWAYS rate limit auth endpoints
@limiter.limit("5 per minute")

# ✅ ALWAYS use generic error messages
return "Invalid credentials"

Key Decisions

Decision	Recommendation
Password hash	Argon2id > bcrypt
Access token expiry	15 min - 1 hour
Refresh token expiry	7-30 days with rotation
Session cookie	HTTPOnly, Secure, SameSite=Strict
Rate limit	5 attempts per minute
MFA	Passkeys > TOTP > SMS
OAuth	2.1 with PKCE (no implicit)

Detailed Documentation

Resource	Description
references/oauth-2.1-passkeys.md	OAuth 2.1, PKCE, Passkeys/WebAuthn
examples/auth-implementations.md	Complete implementation examples
checklists/auth-checklist.md	Security checklist
templates/auth-middleware-template.py	Flask/FastAPI middleware

Related Skills

• owasp-top-10 - Security fundamentals
• input-validation - Data validation
• api-design-framework - API security

Capability Details

password-hashing

Keywords: password, hashing, bcrypt, argon2, hash Solves:

• Securely hash passwords with modern algorithms
• Configure appropriate cost factors
• Migrate legacy password hashes

jwt-tokens

Keywords: JWT, token, access token, claims, jsonwebtoken Solves:

• Generate and validate JWT access tokens
• Implement proper token expiration
• Handle token refresh securely

oauth2-pkce

Keywords: OAuth, PKCE, OAuth 2.1, authorization code, code verifier Solves:

• Implement OAuth 2.1 with PKCE flow
• Secure authorization for SPAs and mobile apps
• Handle OAuth provider integration

passkeys-webauthn

Keywords: passkey, WebAuthn, FIDO2, passwordless, biometric Solves:

• Implement passwordless authentication
• Configure WebAuthn registration and login
• Support cross-device passkeys

session-management

Keywords: session, cookie, session storage, logout, invalidate Solves:

• Manage user sessions securely
• Implement session invalidation on logout
• Handle concurrent sessions

role-based-access

Keywords: RBAC, role, permission, authorization, access control Solves:

• Implement role-based access control
• Define permission hierarchies
• Check authorization in routes