Agent Skills
› NeverSight/learn-skills.dev
› authentication-patterns
authentication-patterns
GitHub提供Web、移动及API应用的认证授权模式与最佳实践,涵盖OAuth2、OIDC、JWT、会话管理及无密码登录等方案,并指导RBAC/ABAC权限控制及安全加固。
Trigger Scenarios
实现身份验证
OAuth流程
JWT令牌
会话管理
SSO配置
API密钥
RBAC
SAML
无密码认证
多因素认证
Install
npx skills add NeverSight/learn-skills.dev --skill authentication-patterns -g -y
SKILL.md
Frontmatter
{
"name": "authentication-patterns",
"description": "Authentication and authorization patterns and best practices. Use when user asks to \"implement authentication\", \"OAuth flow\", \"JWT tokens\", \"session management\", \"SSO setup\", \"API keys\", \"RBAC\", \"SAML\", \"passwordless auth\", \"multi-factor authentication\", or mentions auth design patterns and security."
}
Authentication & Authorization Patterns
Modern authentication and authorization patterns for web, mobile, and API applications.
Authentication Methods
OAuth 2.0
- Standard for third-party integrations
- Flows: Authorization Code, Implicit, Client Credentials, Resource Owner Password
- Popular providers: Google, GitHub, Facebook, Microsoft
OpenID Connect (OIDC)
- Identity layer on top of OAuth 2.0
- Provides user information and authentication assurance
JWT (JSON Web Tokens)
- Stateless token-based authentication
- Encrypted claims with signature
- Used for APIs and microservices
Session-Based
- Traditional server-side session management
- Better for server-rendered applications
- Requires careful CSRF protection
Passwordless
- Magic links via email
- WebAuthn/FIDO2
- Biometric authentication
Authorization Patterns
RBAC (Role-Based Access Control)
- User assigned to roles
- Roles have permissions
- Simple to implement and understand
ABAC (Attribute-Based Access Control)
- Fine-grained permissions based on attributes
- More flexible but complex
- Good for complex permission requirements
PBAC (Policy-Based Access Control)
- Permission as code (AWS IAM, Terraform)
- Highly flexible and auditable
- Supports delegation
Security Best Practices
- Never store passwords - Use bcrypt, scrypt, or Argon2
- Use HTTPS only - All auth traffic encrypted
- Secure token storage - HTTPOnly cookies for web
- Token rotation - Regular refresh token rotation
- MFA/2FA - Multi-factor authentication
- Audit logging - Track all auth events
- Rate limiting - Prevent brute force attacks
- CORS properly - Restrict cross-origin access
Common Architecture
Client → Auth Provider (OAuth/JWT) → API
Client → Session Store ← API
References
- OAuth 2.0 Specification (RFC 6749)
- OpenID Connect Core
- JWT (RFC 7519)
- OWASP Authentication Cheat Sheet
- WebAuthn / FIDO2 Specification
Version History
- e0220ca Current 2026-07-05 20:41


