auth-implementation-patternslisted

# Authentication & Authorization Implementation Patterns Build secure auth(N) and auth(Z) systems using standard patterns. **Authentication** answers "who are you" (verify identity, issue credentials); **authorization** answers "what may you do" (permission checks, RBAC/ABAC, resource ownership). Treat them as separate layers. ## Use this skill when - Implementing user authentication (login, logout, registration). - Securing REST / GraphQL APIs with tokens or sessions. - Adding OAuth2 / social login / SSO. - Designing session management, RBAC, or permission models. - Debugging or reviewing authentication / authorization code. ## Choosing an auth strategy | Strategy | When | Trade-off | | --- | --- | --- | | **Session-based** | Server can hold session state; first-party web app | Stateful — needs a shared session store (e.g. Redis) to scale horizontally; natural CSRF surface → use SameSite cookies | | **Token-based (JWT)** | Stateless services, mobile, service-to-service | Self-contained and scales horizontally; can't be revoked before expiry → keep access tokens short-lived (15–30 min) + DB-backed refresh tokens | | **OAuth2 / OIDC** | Delegated identity, social login, enterprise SSO | Offload credential handling to an IdP; more moving parts (redirects, callback, token exchange) | ## Authorization models - **RBAC** — assign permissions to roles, roles to users; optionally a role hierarchy (admin ⊇ moderator ⊇ user). - **Permission-based / ABAC** — check fine-grained pe