@tank/auth-patterns
1.1.0Skill
Description
Auth patterns for any stack. JWT, OAuth2 (PKCE, Client Credentials, Device Code), sessions, RBAC/ABAC/ReBAC, OpenID Connect, social login, MFA (TOTP, WebAuthn/passkeys), and auth security (XSS/CSRF, token storage).
Triggered by
JWTOAuth2PKCEsession managementRBACABAC
Download
Review Recommended
tank install @tank/auth-patternsAuth Patterns
Core Philosophy
- Authentication is not authorization ā Solve them separately. Authentication proves identity; authorization enforces what that identity may do.
- Default deny ā All resources are denied unless explicitly permitted. Never default allow.
- Shortest lifetime possible ā Access tokens: 5-15 minutes. Sessions: idle + absolute timeout. Backup codes: one use. Shorter lifetime = smaller breach window.
- Validate every input, every time ā JWT signature, expiry, issuer, audience, nonce. Skipping one check is the vulnerability.
- Store nothing sensitive client-side ā Tokens in HttpOnly cookies, secrets in secret managers, TOTP seeds encrypted at rest.
Quick-Start: Common Problems
"Which auth approach should I use?"
| App Type | Recommended |
|---|---|
| Server-rendered web app | Server-side sessions + HttpOnly cookie |
| SPA / mobile calling your own API | Auth Code + PKCE ā short-lived JWT in HttpOnly cookie |
| Microservices (your API ā your API) | Client Credentials ā short-lived JWT |
| Third-party delegated access | Auth Code + PKCE with consent screen |
| "Sign in with Google/GitHub" | OIDC ā Auth Code + PKCE |
ā See references/oauth2-flows.md and references/jwt-internals.md |
"My JWT implementation feels wrong"
- Are you pinning the algorithm in code (not trusting the token header)? ā Verify
- Are you validating
iss,aud,exp, and signature? ā All four required - Where is the token stored? localStorage = wrong ā move to HttpOnly cookie
- Access token lifespan > 15 minutes? ā Shorten it
ā See
references/jwt-internals.md
"I need to add MFA"
- Pick primary method: TOTP (practical baseline) or WebAuthn/passkeys (phishing-resistant)
- Always generate backup codes at enrollment
- Implement step-up auth for sensitive operations (password change, payments)
ā See
references/mfa-implementation.md
"How do I model permissions?"
- Start with RBAC ā users ā roles ā permissions
- Hitting role explosion? Move resource-specific access to ABAC
- Sharing / collaboration model? Consider ReBAC (Zanzibar)
ā See
references/rbac-abac.md
"Social login edge cases are biting me"
- Use
sub(not email) as the stable user identifier per provider - Always check
email_verified: truebefore trusting email - Validate
nonce,iss,aud, and signature on ID tokens ā Seereferences/oidc-social-login.md
Decision Trees
Token vs Session
| Signal | Use |
|---|---|
| Traditional server-rendered app | Server-side sessions |
| Immediate revocation required | Server-side sessions (or opaque tokens + introspection) |
| Multiple independent services verify token | JWT (asymmetric: RS256 or EdDSA) |
| Single service | JWT (symmetric: HS256) or sessions |
| "Stateless" is a hard requirement | JWT with short expiry + refresh rotation |
JWT Signing Algorithm
| Situation | Algorithm |
|---|---|
| Multiple services verify | RS256 or EdDSA (Ed25519) |
| Single service, simple | HS256 with 256-bit random secret |
| New system, modern stack | EdDSA (fastest, most secure) |
| Widest library compatibility needed | RS256 |
| Never | none, MD5, SHA-1 |
Authorization Model
| Signal | Model |
|---|---|
| Permissions map to job functions | RBAC |
| Access depends on resource/context attributes | ABAC |
| Sharing and ownership relationships drive access | ReBAC |
| Multi-tenant SaaS | RBAC + tenant-scoped namespacing |
| Role count > user count | Refactor to ABAC or hierarchy |
MFA Method
| Context | Method |
|---|---|
| Privileged accounts, enterprise | Hardware key (FIDO2 roaming) |
| Consumer apps, best UX | Passkeys (synced FIDO2) |
| Practical baseline anywhere | TOTP authenticator app |
| Absolute last resort only | SMS OTP |
Reference Files
| File | Contents |
|---|---|
references/jwt-internals.md | JWT structure, signing algorithms (RS256/HS256/EdDSA), validation steps, attack vectors (none alg, alg confusion, kid injection), access/refresh token patterns, revocation strategies |
references/oauth2-flows.md | All grant types (Auth Code, PKCE, Client Credentials, Device Code), token endpoint, scope design, refresh token rotation, deprecated implicit grant |
references/session-management.md | Server-side session storage (Redis vs DB), cookie security attributes (HttpOnly, Secure, SameSite), session ID generation, session fixation, concurrent sessions, expiry strategies |
references/rbac-abac.md | RBAC levels (0-3), role explosion prevention, ABAC vs RBAC selection, ReBAC/Zanzibar model, multi-tenant authorization, permission modeling, enforcement patterns |
references/oidc-social-login.md | OIDC on OAuth2, ID token vs access token, nonce, standard scopes, provider patterns, user mapping, account linking, edge cases, JIT provisioning |
references/mfa-implementation.md | TOTP algorithm and storage, WebAuthn/passkeys registration and authentication flows, SMS weaknesses, backup codes, step-up authentication, recovery flows |
references/auth-security.md | Token storage (HttpOnly cookies vs localStorage), XSS defense (CSP, SRI), CSRF prevention (SameSite, synchronizer tokens), rate limiting, credential stuffing, secure headers, password hashing |