securing-authentication
This skill provides implementations for modern authentication and authorization systems, covering OAuth 2.1/OIDC flows, JWT patterns, passwordless authentication with WebAuthn, and fine-grained access control through RBAC/ABAC/ReBAC architectures. Use it when building user login systems, securing APIs, implementing SSO integrations, adding role-based permissions, or migrating from legacy password-based authentication to contemporary standards across Python, Rust, Go, and TypeScript environments.
git clone --depth 1 https://github.com/ancoleman/ai-design-components /tmp/securing-authentication && cp -r /tmp/securing-authentication/skills/securing-authentication ~/.claude/skills/securing-authenticationSKILL.md
# Authentication & Security
Implement modern authentication, authorization, and API security across Python, Rust, Go, and TypeScript.
## When to Use This Skill
Use this skill when:
- Building user authentication systems (login, signup, SSO)
- Implementing authorization (roles, permissions, access control)
- Securing APIs (JWT validation, rate limiting)
- Adding passwordless auth (Passkeys/WebAuthn)
- Migrating from password-based to modern auth
- Integrating enterprise SSO (SAML, OIDC)
- Implementing fine-grained permissions (RBAC, ABAC, ReBAC)
## OAuth 2.1 Mandatory Requirements (2025 Standard)
```
┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘
```
**Critical:** PKCE is now mandatory for ALL OAuth flows, not just public clients.
## JWT Best Practices
### Signing Algorithms (Priority Order)
1. **EdDSA with Ed25519** (Recommended)
- Fastest performance
- Smallest signature size
- Modern cryptography
2. **ES256 (ECDSA with P-256)**
- Good performance
- Industry standard
- Wide compatibility
3. **RS256 (RSA)**
- Legacy compatibility
- Larger signatures
- Slower performance
**NEVER allow `alg: none` or algorithm switching attacks.**
### Token Lifetimes (Concrete Values)
- **Access token:** 5-15 minutes
- **Refresh token:** 1-7 days with rotation
- **ID token:** Same as access token (5-15 minutes)
**Refresh token rotation:** Each refresh generates new access AND refresh tokens, invalidating the old refresh token.
### Token Storage
- **Access token:** Memory only (never localStorage)
- **Refresh token:** HTTP-only cookie + SameSite=Strict
- **CSRF token:** Separate non-HTTP-only cookie
- **Never log tokens:** Redact in application logs
### JWT Claims (Required)
```json
{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}
```
## Password Hashing with Argon2id
### OWASP 2025 Parameters
```
Algorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250ms
```
### Implementation
For concrete implementations, see `references/password-hashing.md`.
**Key Points:**
- Argon2id is hybrid: data-independent timing + memory-hard
- Tune memory cost to achieve 150-250ms on YOUR hardware
- Use timing-safe comparison for verification
- Migrate from bcrypt gradually (verify with old, rehash with new)
## Passkeys / WebAuthn
Passkeys provide phishing-resistant, passwordless authentication using FIDO2/WebAuthn.
### When to Use Passkeys
- User-facing applications prioritizing security
- Reducing password-related support burden
- Mobile-first applications (biometric auth)
- Applications requiring MFA without SMS
### Cross-Device Passkey Sync
- **iCloud Keychain:** Apple ecosystem (iOS 16+, macOS 13+)
- **Google Password Manager:** Android, Chrome
- **1Password, Bitwarden:** Third-party password managers
For implementation guide, see `references/passkeys-webauthn.md`.
## Authorization Models
```
┌─────────────────────────────────────────────────────────────┐
│ Authorization Model Selection │
├─────────────────────────────────────────────────────────────┤
│ │
│ Simple Roles (<20 roles) │
│ └─ RBAC with Casbin (embedded, any language) │
│ Example: Admin, User, Guest │
│ │
│ Complex Attribute Rules │
│ └─ ABAC with OPA or Cerbos │
│ Example: "Allow if user.clearance >= doc.level │
│ AND user.dept == doc.dept" │
│ │
│ Relationship-Based (Multi-Tenant, Collaborative) │
│ └─ ReBAC with SpiceDB (Zanzibar model) │
│ Example: "Can edit if member of doc's workspace │
│ AND workspace.plan includes feature" │
│ Use cases: Notion-like, GitHub-like permissions │
│ │
│ Kubernetes / Infrastructure Policies │
│ └─ OPA (Gatekeeper for admission control) │
│ Example: Enforce pod security policies │
│ │
└─────────────────────────────────────────────────────────────┘
```
FoManage Linux systems covering systemd services, process management, filesystems, networking, performance tuning, and troubleshooting. Use when deploying applications, optimizing server performance, diagnosing production issues, or managing users and security on Linux servers.
Data pipelines, feature stores, and embedding generation for AI/ML systems. Use when building RAG pipelines, ML feature serving, or data transformations. Covers feature stores (Feast, Tecton), embedding pipelines, chunking strategies, orchestration (Dagster, Prefect, Airflow), dbt transformations, data versioning (LakeFS), and experiment tracking (MLflow, W&B).
Strategic guidance for designing modern data platforms, covering storage paradigms (data lake, warehouse, lakehouse), modeling approaches (dimensional, normalized, data vault, wide tables), data mesh principles, and medallion architecture patterns. Use when architecting data platforms, choosing between centralized vs decentralized patterns, selecting table formats (Iceberg, Delta Lake), or designing data governance frameworks.
Design cloud network architectures with VPC patterns, subnet strategies, zero trust principles, and hybrid connectivity. Use when planning VPC topology, implementing multi-cloud networking, or establishing secure network segmentation for cloud workloads.
Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs.
Assembles component outputs from AI Design Components skills into unified, production-ready component systems with validated token integration, proper import chains, and framework-specific scaffolding. Use as the capstone skill after running theming, layout, dashboard, data-viz, or feedback skills to wire components into working React/Next.js, Python, or Rust projects.
Builds AI chat interfaces and conversational UI with streaming responses, context management, and multi-modal support. Use when creating ChatGPT-style interfaces, AI assistants, code copilots, or conversational agents. Handles streaming text, token limits, regeneration, feedback loops, tool usage visualization, and AI-specific error patterns. Provides battle-tested components from leading AI products with accessibility and performance built in.
Constructs secure, efficient CI/CD pipelines with supply chain security (SLSA), monorepo optimization, caching strategies, and parallelization patterns for GitHub Actions, GitLab CI, and Argo Workflows. Use when setting up automated testing, building, or deployment workflows.