ReddRadar
Agent skill
securing-authentication
Authentication, authorization, and API security implementation. Use when building user systems, protecting APIs, or implementing access control. Covers OAuth 2.1/OIDC, JWT patterns, sessions, Passkeys/WebAuthn, RBAC/ABAC/ReBAC, policy engines (OPA, Casbin, SpiceDB), managed auth (Clerk, Auth0), self-hosted (Keycloak, Ory), and API security best practices.
Install this agent skill to your Project
npx add-skill https://github.com/ancoleman/ai-design-components/tree/main/skills/securing-authentication
SKILL.md
Authentication & Security
Implement modern authentication, authorization, and API security across Python, Rust, Go, and TypeScript.
When to Use This Skill
Use this skill when:
- Building user authentication systems (login, signup, SSO)
- Implementing authorization (roles, permissions, access control)
- Securing APIs (JWT validation, rate limiting)
- Adding passwordless auth (Passkeys/WebAuthn)
- Migrating from password-based to modern auth
- Integrating enterprise SSO (SAML, OIDC)
- Implementing fine-grained permissions (RBAC, ABAC, ReBAC)
OAuth 2.1 Mandatory Requirements (2025 Standard)
┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘
Critical: PKCE is now mandatory for ALL OAuth flows, not just public clients.
JWT Best Practices
Signing Algorithms (Priority Order)
-
EdDSA with Ed25519 (Recommended)
- Fastest performance
- Smallest signature size
- Modern cryptography
-
ES256 (ECDSA with P-256)
- Good performance
- Industry standard
- Wide compatibility
-
RS256 (RSA)
- Legacy compatibility
- Larger signatures
- Slower performance
NEVER allow alg: none or algorithm switching attacks.
Token Lifetimes (Concrete Values)
- Access token: 5-15 minutes
- Refresh token: 1-7 days with rotation
- ID token: Same as access token (5-15 minutes)
Refresh token rotation: Each refresh generates new access AND refresh tokens, invalidating the old refresh token.
Token Storage
- Access token: Memory only (never localStorage)
- Refresh token: HTTP-only cookie + SameSite=Strict
- CSRF token: Separate non-HTTP-only cookie
- Never log tokens: Redact in application logs
JWT Claims (Required)
{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}
Password Hashing with Argon2id
OWASP 2025 Parameters
Algorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250ms
Implementation
For concrete implementations, see references/password-hashing.md.
Key Points:
- Argon2id is hybrid: data-independent timing + memory-hard
- Tune memory cost to achieve 150-250ms on YOUR hardware
- Use timing-safe comparison for verification
- Migrate from bcrypt gradually (verify with old, rehash with new)
Passkeys / WebAuthn
Passkeys provide phishing-resistant, passwordless authentication using FIDO2/WebAuthn.
When to Use Passkeys
- User-facing applications prioritizing security
- Reducing password-related support burden
- Mobile-first applications (biometric auth)
- Applications requiring MFA without SMS
Cross-Device Passkey Sync
- iCloud Keychain: Apple ecosystem (iOS 16+, macOS 13+)
- Google Password Manager: Android, Chrome
- 1Password, Bitwarden: Third-party password managers
For implementation guide, see references/passkeys-webauthn.md.
Authorization Models
┌─────────────────────────────────────────────────────────────┐
│ Authorization Model Selection │
├─────────────────────────────────────────────────────────────┤
│ │
│ Simple Roles (<20 roles) │
│ └─ RBAC with Casbin (embedded, any language) │
│ Example: Admin, User, Guest │
│ │
│ Complex Attribute Rules │
│ └─ ABAC with OPA or Cerbos │
│ Example: "Allow if user.clearance >= doc.level │
│ AND user.dept == doc.dept" │
│ │
│ Relationship-Based (Multi-Tenant, Collaborative) │
│ └─ ReBAC with SpiceDB (Zanzibar model) │
│ Example: "Can edit if member of doc's workspace │
│ AND workspace.plan includes feature" │
│ Use cases: Notion-like, GitHub-like permissions │
│ │
│ Kubernetes / Infrastructure Policies │
│ └─ OPA (Gatekeeper for admission control) │
│ Example: Enforce pod security policies │
│ │
└─────────────────────────────────────────────────────────────┘
For detailed comparison, see references/authorization-patterns.md.
Library Selection by Language
TypeScript
| Use Case | Library | Context7 ID | Trust | Notes |
|---|---|---|---|---|
| Auth Framework | Auth.js v5 | /websites/authjs_dev |
87.4 | Multi-framework (Next, Svelte, Solid) |
| JWT | jose 5.x | - | - | EdDSA, ES256, RS256 support |
| Passkeys | @simplewebauthn/server 11.x | - | - | FIDO2 server |
| Validation | Zod 3.x | /colinhacks/zod |
90.4 | Schema validation |
| Policy Engine | Casbin.js 1.x | - | - | RBAC/ABAC embedded |
Python
| Use Case | Library | Notes |
|---|---|---|
| Auth Framework | Authlib 1.3+ | OAuth/OIDC client + server |
| JWT | joserfc 1.x | Modern, maintained |
| Passkeys | py_webauthn 2.x | WebAuthn server |
| Password Hashing | argon2-cffi 24.x | OWASP parameters |
| Validation | Pydantic 2.x | FastAPI integration |
| Policy Engine | PyCasbin 1.x | RBAC/ABAC embedded |
Rust
| Use Case | Library | Notes |
|---|---|---|
| JWT | jsonwebtoken 10.x | EdDSA, ES256, RS256 |
| OAuth Client | oauth2 5.x | OAuth 2.1 flows |
| Passkeys | webauthn-rs 0.5.x | WebAuthn + attestation |
| Password Hashing | argon2 0.5.x | Native Argon2id |
| Policy Engine | Casbin-RS 2.x | RBAC/ABAC embedded |
Go
| Use Case | Library | Notes |
|---|---|---|
| JWT | golang-jwt v5 | Community-maintained |
| OAuth Client | go-oidc v3 | OIDC client only |
| Passkeys | go-webauthn 0.11.x | Duo-maintained |
| Password Hashing | golang.org/x/crypto/argon2 | Standard library |
| Policy Engine | Casbin v2 | Original implementation |
Managed Auth Services
| Service | Best For | Key Features |
|---|---|---|
| Clerk | Rapid development, startups | Prebuilt UI, Next.js SDK |
| Auth0 | Enterprise, established | 25+ social providers, SSO |
| WorkOS AuthKit | B2B SaaS, enterprise SSO | SAML/SCIM, admin portal |
| Supabase Auth | Postgres users | Built on Postgres, RLS |
For detailed comparison, see references/managed-auth-comparison.md.
Self-Hosted Solutions
| Solution | Language | Use Case |
|---|---|---|
| Keycloak | Java | Enterprise, on-prem |
| Ory | Go | Cloud-native, microservices |
| Authentik | Python | Modern, developer-friendly |
For setup guides, see references/self-hosted-auth.md.
API Security Best Practices
Rate Limiting
// Tiered rate limiting (per IP + per user)
const rateLimits = {
anonymous: '10 requests/minute',
authenticated: '100 requests/minute',
premium: '1000 requests/minute',
}
Use sliding window algorithm (not fixed window) with Redis.
CORS Configuration
// Restrictive CORS (production)
const corsOptions = {
origin: ['https://app.example.com'],
credentials: true,
maxAge: 86400, // 24 hours
allowedHeaders: ['Content-Type', 'Authorization'],
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
}
// NEVER use origin: '*' with credentials: true
Security Headers
const securityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Content-Security-Policy': "default-src 'self'; script-src 'self'",
}
For complete API security guide, see references/api-security.md.
Frontend Integration Patterns
Protected Routes (Next.js)
// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token, req }) => {
if (req.nextUrl.pathname.startsWith('/dashboard')) {
return !!token
}
if (req.nextUrl.pathname.startsWith('/admin')) {
return token?.role === 'admin'
}
return true
},
},
})
export const config = {
matcher: ['/dashboard/:path*', '/admin/:path*'],
}
Role-Based UI Rendering
import { useSession } from 'next-auth/react'
export function AdminPanel() {
const { data: session } = useSession()
if (session?.user?.role !== 'admin') {
return null
}
return <div>Admin Controls</div>
}
Common Workflows
1. OAuth 2.1 Integration
- Generate PKCE challenge
- Redirect to authorization endpoint
- Handle callback with authorization code
- Exchange code for tokens (with code_verifier)
- Store tokens securely
- Implement refresh token rotation
See references/oauth21-guide.md for complete implementation.
2. JWT Implementation
- Generate signing keys using
scripts/generate_jwt_keys.py - Configure token lifetimes (5-15 min access, 1-7 day refresh)
- Implement token validation middleware
- Set up refresh token rotation
- Configure token storage (memory for access, HTTP-only cookie for refresh)
See references/jwt-best-practices.md for detailed patterns.
3. Passkeys Setup
- Register credential during signup/settings
- Generate challenge for registration
- Verify attestation
- Store credential ID and public key
- Implement authentication flow with assertion
See examples/passkeys-demo/ for runnable implementation.
4. Authorization Engine Setup
- Choose engine (Casbin for simple RBAC, SpiceDB for ReBAC)
- Define schema/policies
- Implement check functions
- Integrate with route handlers
- Add audit logging
See references/authorization-patterns.md for detailed comparison.
Integration with Other Skills
Forms Skill
- Login/register forms with validation
- Error states for auth failures
- Password strength indicators
- Email validation
API Patterns Skill
- JWT middleware integration
- Error response formats (401, 403)
- OpenAPI security schemas
- CORS configuration
Dashboards Skill
- Role-based widget visibility
- User profile display
- Permission-based data filtering
- Audit trail visualization
Observability Skill
- Auth event logging (login, logout, permission denied)
- Failed login tracking
- Token refresh monitoring
- Security incident alerting
Scripts
Generate JWT Keys
python scripts/generate_jwt_keys.py --algorithm EdDSA
Generates EdDSA or ES256 key pairs for JWT signing.
Validate OAuth 2.1 Configuration
python scripts/validate_oauth_config.py --config oauth.json
Validates OAuth 2.1 compliance (PKCE enabled, exact redirect URIs, etc.).
Examples
Auth.js + Next.js
Complete implementation with OAuth providers, credentials, and session management.
Location: examples/authjs-nextjs/
Keycloak + FastAPI
Self-hosted Keycloak with FastAPI integration via OIDC.
Location: examples/keycloak-fastapi/
Passkeys Demo
Runnable passkeys implementation with @simplewebauthn.
Location: examples/passkeys-demo/
Reference Documentation
references/oauth21-guide.md- OAuth 2.1 implementation guidereferences/jwt-best-practices.md- JWT generation, validation, storagereferences/passkeys-webauthn.md- Passkeys/WebAuthn implementationreferences/authorization-patterns.md- RBAC, ABAC, ReBAC comparisonreferences/password-hashing.md- Argon2id parameters, migration
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
ancoleman/ai-design-components
designing-sdks
Design production-ready SDKs with retry logic, error handling, pagination, and multi-language support. Use when building client libraries for APIs or creating developer-facing SDK interfaces.
ancoleman/ai-design-components
administering-linux
Manage Linux systems covering systemd services, process management, filesystems, networking, performance tuning, and troubleshooting. Use when deploying applications, optimizing server performance, diagnosing production issues, or managing users and security on Linux servers.
ancoleman/ai-design-components
implementing-api-patterns
API design and implementation across REST, GraphQL, gRPC, and tRPC patterns. Use when building backend services, public APIs, or service-to-service communication. Covers REST frameworks (FastAPI, Axum, Gin, Hono), GraphQL libraries (Strawberry, async-graphql, gqlgen, Pothos), gRPC (Tonic, Connect-Go), tRPC for TypeScript, pagination strategies (cursor-based, offset-based), rate limiting, caching, versioning, and OpenAPI documentation generation. Includes frontend integration patterns for forms, tables, dashboards, and ai-chat skills.
ancoleman/ai-design-components
prompt-engineering
Engineer effective LLM prompts using zero-shot, few-shot, chain-of-thought, and structured output techniques. Use when building LLM applications requiring reliable outputs, implementing RAG systems, creating AI agents, or optimizing prompt quality and cost. Covers OpenAI, Anthropic, and open-source models with multi-language examples (Python/TypeScript).
ancoleman/ai-design-components
deploying-applications
Deployment patterns from Kubernetes to serverless and edge functions. Use when deploying applications, setting up CI/CD, or managing infrastructure. Covers Kubernetes (Helm, ArgoCD), serverless (Vercel, Lambda), edge (Cloudflare Workers, Deno), IaC (Pulumi, OpenTofu, SST), and GitOps patterns.
ancoleman/ai-design-components
optimizing-costs
Optimize cloud infrastructure costs through FinOps practices, commitment discounts, right-sizing, and automated cost management. Use when reducing cloud spend, implementing budget controls, or establishing cost visibility across AWS, Azure, GCP, and Kubernetes environments.
Didn't find tool you were looking for?