securing-authenticationlisted

Authentication, authorization, and API security implementation. Use when building user systems, protecting APIs, or implementing access control. Covers OAuth 2.1/OIDC, JWT patterns, sessions, Passkeys/WebAuthn, RBAC/ABAC/ReBAC, policy engines (OPA, Casbin, SpiceDB), managed auth (Clerk, Auth0), self-hosted (Keycloak, Ory), and API security best practices.
ancoleman/ai-design-components · ★ 368 · Web & Frontend · score 80

Install: claude install-skill ancoleman/ai-design-components

# Authentication & Security Implement modern authentication, authorization, and API security across Python, Rust, Go, and TypeScript. ## When to Use This Skill Use this skill when: - Building user authentication systems (login, signup, SSO) - Implementing authorization (roles, permissions, access control) - Securing APIs (JWT validation, rate limiting) - Adding passwordless auth (Passkeys/WebAuthn) - Migrating from password-based to modern auth - Integrating enterprise SSO (SAML, OIDC) - Implementing fine-grained permissions (RBAC, ABAC, ReBAC) ## OAuth 2.1 Mandatory Requirements (2025 Standard) ``` ┌─────────────────────────────────────────────────────────────┐ │ OAuth 2.1 MANDATORY REQUIREMENTS │ │ (RFC 9798 - 2025) │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │ │ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │ │ │ └─ S256 method (SHA-256), minimum entropy 43 chars │ │ ├─ Exact redirect URI matching │ │ │ └─ No wildcard matching, no substring matching │ │ ├─ Authorization code flow ONLY for public clients │ │ │ └─ All other flows require confidential client │ │ └─ TLS 1.2+ required for all endpoints │ │ │ │ ❌ R