Agent Skills
› cosmicstack-labs/mercury-agent-skills
› authentication-authorization
authentication-authorization
GitHub提供应用安全认证与授权实现指南,涵盖JWT、OAuth2、SAML及MFA等认证方法的最佳实践。详解RBAC与ABAC授权模型,并包含会话管理、令牌轮换及安全日志记录规范,助力构建高安全性身份验证系统。
Trigger Scenarios
需要实现用户登录或注册功能
设计API接口的权限控制策略
配置多因素认证(MFA)机制
处理第三方身份提供商集成
优化会话管理与安全性
Install
npx skills add cosmicstack-labs/mercury-agent-skills --skill authentication-authorization -g -y
SKILL.md
Frontmatter
{
"name": "authentication-authorization",
"metadata": {
"tags": [
"authentication",
"authorization",
"security",
"jwt",
"oauth",
"rbac"
],
"author": "cosmicstack-labs",
"version": "1.0.0",
"category": "backend"
},
"description": "JWT, OAuth2, SAML, session management, RBAC, ABAC, and MFA implementation"
}
Authentication & Authorization
Implement secure auth in your applications.
Authentication Methods
| Method | Use Case | Security Level |
|---|---|---|
| Session/Cookie | Server-rendered apps | High (HTTP-only, secure flags) |
| JWT | APIs, SPAs | Medium (stateless, revocable with blacklist) |
| OAuth2 | Third-party login | High (delegate to providers) |
| SAML | Enterprise SSO | High (enterprise identity) |
| WebAuthn | Passwordless | Very high (biometric, hardware keys) |
JWT Best Practices
- Short expiry (15 min access, 7 day refresh)
- Store refresh tokens in HTTP-only cookies (not localStorage)
- Use RS256 (asymmetric) not HS256 in microservices
- Include minimal claims (sub, exp, iat, scope)
- Always validate signature + expiry + audience
Authorization Models
RBAC (Role-Based)
{
"roles": ["admin", "editor", "viewer"],
"permissions": {
"admin": ["read:*", "write:*", "delete:*"],
"editor": ["read:*", "write:*"],
"viewer": ["read:*"]
}
}
ABAC (Attribute-Based)
Policy engine evaluates: user attributes + resource attributes + environment "Allow access if user.department == resource.department AND user.clearance >= resource.classification"
MFA Implementation
- TOTP (Google Authenticator) — standard
- SMS — least secure, avoid if possible
- Push notification — good UX
- Hardware keys (WebAuthn) — most secure
Enforcement
- Require MFA for admin actions
- Require MFA on new device login
- Remember device with a trust token (30 days max)
- Rate-limit MFA attempts
Session Management
- Rotate session ID on login
- Invalidate on password change
- Show active sessions to user (allow remote logout)
- Absolute session timeout (24h) + idle timeout (2h)
- Log all auth events (login, logout, failure, MFA)
Version History
- 38e2523 Current 2026-07-05 19:36


