auth-implementation-patterns
wshobson/agents
Master JWT, OAuth2, session management, and RBAC patterns for secure, scalable authentication systems.
What is auth-implementation-patterns?
This skill teaches industry-standard authentication and authorization patterns including session-based auth, token-based JWT, OAuth2/OpenID Connect, and role-based access control (RBAC). Use it when implementing user authentication, securing APIs, adding social login, designing access control, or debugging security issues.
- Implement session-based authentication with secure cookie management
- Design and deploy JWT token-based authentication systems
- Integrate OAuth2 and OpenID Connect for social/enterprise login
- Build role-based access control (RBAC) and permission systems
- Secure REST and GraphQL APIs with proper auth patterns
- Implement password hashing, token expiration, and credential rotation
How to install auth-implementation-patterns
npx skills add https://github.com/wshobson/agents --skill auth-implementation-patternsHow to use auth-implementation-patterns
- 1.Review the core concepts section to understand AuthN vs AuthZ distinctions
- 2.Choose an authentication strategy (session-based, JWT, or OAuth2) based on your use case
- 3.Read detailed pattern documentation in references/details.md for implementation specifics
- 4.Apply best practices: hash passwords with bcrypt/argon2, use HTTPS, set short token expiration, secure cookies with httpOnly/secure/sameSite flags
- 5.Implement server-side validation, rate limiting on auth endpoints, and CSRF protection for session auth
- 6.Add security event logging and consider MFA for sensitive applications
Use cases
- Building a user login system with session or JWT tokens
- Adding Google/GitHub OAuth2 social login to an application
- Implementing role-based permissions for multi-user SaaS platforms
- Securing a REST API with token-based authentication
- Designing SSO or multi-tenant authentication architecture
- Backend engineers building authentication systems
- Full-stack developers securing APIs and user access
- Security-focused developers implementing access control
- DevOps/platform engineers designing enterprise auth
- Developers migrating or refactoring existing auth systems
auth-implementation-patterns FAQ
Sessions are simpler and stateful (good for monoliths); JWT is stateless and scales horizontally (good for microservices). Sessions are more secure by default; JWT requires careful handling (use httpOnly cookies, not localStorage).
Implement rate limiting on authentication endpoints, use exponential backoff for failed attempts, and log all login attempts. Consider CAPTCHA after multiple failures.
OAuth2 is for authorization (delegated access); OpenID Connect adds authentication on top of OAuth2 for identity verification. Use OIDC when you need both auth and user info.
Keep access tokens short-lived (15-30 minutes max). Use refresh tokens (longer-lived, rotated) to obtain new access tokens without re-authentication.
Use httpOnly cookies (secure against XSS). Avoid localStorage as it's vulnerable to XSS attacks. Set secure and sameSite flags on cookies.
Full instructions (SKILL.md)
Source of truth, from wshobson/agents.
name: auth-implementation-patterns description: Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
Authentication & Authorization Implementation Patterns
Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices.
When to Use This Skill
- Implementing user authentication systems
- Securing REST or GraphQL APIs
- Adding OAuth2/social login
- Implementing role-based access control (RBAC)
- Designing session management
- Migrating authentication systems
- Debugging auth issues
- Implementing SSO or multi-tenancy
Core Concepts
1. Authentication vs Authorization
Authentication (AuthN): Who are you?
- Verifying identity (username/password, OAuth, biometrics)
- Issuing credentials (sessions, tokens)
- Managing login/logout
Authorization (AuthZ): What can you do?
- Permission checking
- Role-based access control (RBAC)
- Resource ownership validation
- Policy enforcement
2. Authentication Strategies
Session-Based:
- Server stores session state
- Session ID in cookie
- Traditional, simple, stateful
Token-Based (JWT):
- Stateless, self-contained
- Scales horizontally
- Can store claims
OAuth2/OpenID Connect:
- Delegate authentication
- Social login (Google, GitHub)
- Enterprise SSO
Detailed patterns and worked examples
Detailed pattern documentation lives in references/details.md. Read that file when the navigation tier above is insufficient.
Best Practices
- Never Store Plain Passwords: Always hash with bcrypt/argon2
- Use HTTPS: Encrypt data in transit
- Short-Lived Access Tokens: 15-30 minutes max
- Secure Cookies: httpOnly, secure, sameSite flags
- Validate All Input: Email format, password strength
- Rate Limit Auth Endpoints: Prevent brute force attacks
- Implement CSRF Protection: For session-based auth
- Rotate Secrets Regularly: JWT secrets, session secrets
- Log Security Events: Login attempts, failed auth
- Use MFA When Possible: Extra security layer
Common Pitfalls
- Weak Passwords: Enforce strong password policies
- JWT in localStorage: Vulnerable to XSS, use httpOnly cookies
- No Token Expiration: Tokens should expire
- Client-Side Auth Checks Only: Always validate server-side
- Insecure Password Reset: Use secure tokens with expiration
- No Rate Limiting: Vulnerable to brute force
- Trusting Client Data: Always validate on server
Related skills
More from wshobson/agents and the wider catalog.
tailwind-design-system
Build production-ready design systems with Tailwind CSS v4, design tokens, and component libraries.
typescript-advanced-types
Master TypeScript's advanced type system: generics, conditional types, mapped types, and utility types for type-safe applications.
nodejs-backend-patterns
Build production-ready Node.js backends with Express/Fastify, middleware patterns, auth, and database integration.
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices.
brand-landingpage
Brand-first landing page designer with guided interviews and Stitch-powered iteration.
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development.