| name | auth |
| description | Modern authentication and security patterns for web applications. Expert in JWT tokens, OAuth2 flows, session management, RBAC, MFA, API security, and zero-trust architectures. Framework-agnostic patterns that work with any tech stack. |
| license | MIT |
Authentication & Security Patterns
This skill provides comprehensive authentication and security patterns for modern web applications in 2025, focusing on JWT tokens, OAuth2, multi-factor authentication, and zero-trust security principles that work across different frameworks and databases.
When to Use This Skill
Use this skill when you need to:
- Implement secure authentication with JWT tokens
- Set up OAuth2 social login providers
- Implement role-based access control (RBAC)
- Add multi-factor authentication (MFA)
- Secure API endpoints with proper middleware
- Handle session management and token refresh
- Implement zero-trust security patterns
- Set up WebSocket authentication
- Create audit trails and security logging
Modern Authentication Architecture
1. JWT Token Management with Refresh Tokens
import jwt
import secrets
from datetime import datetime, timedelta
from typing import Optional, Dict, Any
from passlib.context import CryptContext
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
import os
class TokenManager:
"""JWT token management with security best practices"""
def __init__(self):
self.secret_key = os.getenv("JWT_SECRET_KEY", self._generate_secret())
self.algorithm = "HS256"
self.access_token_expire = timedelta(minutes=15)
self.refresh_token_expire = timedelta(days=7)
self.pwd_context = CryptContext(
schemes=["pbkdf2_sha256"],
default="pbkdf2_sha256",
pbkdf2_sha256__default_rounds=120000
)
def _generate_secret(self) -> str:
"""Generate cryptographically secure secret"""
return secrets.token_urlsafe(32)
def create_password_hash(self, password: str) -> str:
"""Create secure password hash"""
return self.pwd_context.hash(password)
def verify_password(self, plain_password: str, hashed_password: str) -> bool:
"""Verify password against hash"""
return self.pwd_context.verify(plain_password, hashed_password)
def create_access_token(
self,
data: Dict[str, Any],
expires_delta: Optional[timedelta] = None
) -> str:
"""Create JWT access token"""
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + self.access_token_expire
to_encode.update({
"exp": expire,
"iat": datetime.utcnow(),
"type": "access",
"jti": secrets.token_urlsafe(16)
})
encoded_jwt = jwt.encode(
to_encode,
self.secret_key,
algorithm=self.algorithm
)
return encoded_jwt
def create_refresh_token(
self,
user_id: str,
device_info: Optional[Dict[str, Any]] = None
) -> Dict[str, Any]:
"""Create secure refresh token with device binding"""
jti = secrets.token_urlsafe(32)
token_data = {
"sub": user_id,
"jti": jti,
"iat": datetime.utcnow(),
"exp": datetime.utcnow() + self.refresh_token_expire,
"type": "refresh",
"device": device_info or {}
}
refresh_token = jwt.encode(
token_data,
self.secret_key,
algorithm=self.algorithm
)
token_hash = self._hash_token(refresh_token)
return {
"token": refresh_token,
"jti": jti,
"expires_at": token_data["exp"],
"token_hash": token_hash
}
def verify_token(self, token: str, token_type: str = "access") -> Dict[str, Any]:
"""Verify and decode JWT token"""
try:
payload = jwt.decode(
token,
self.secret_key,
algorithms=[self.algorithm],
options={"verify_exp": True}
)
if payload.get("type") != token_type:
raise ValueError("Invalid token type")
return payload
except jwt.ExpiredSignatureError:
raise ValueError("Token has expired")
except jwt.JWTError:
raise ValueError("Invalid token")
def revoke_token(self, jti: str):
"""Revoke a token (add to blacklist)"""
pass
def _hash_token(self, token: str) -> str:
"""Hash token for storage"""
return self.pwd_context.hash(token)
token_manager = TokenManager()
2. OAuth2 Provider Integration
from typing import Dict, Any, Optional
from abc import ABC, abstractmethod
import httpx
from urllib.parse import urlencode, parse_qs
class OAuth2Provider(ABC):
"""Base OAuth2 provider implementation"""
def __init__(
self,
client_id: str,
client_secret: str,
redirect_uri: str,
scopes: list
):
self.client_id = client_id
self.client_secret = client_secret
self.redirect_uri = redirect_uri
self.scopes = scopes
@abstractmethod
def get_authorization_url(self, state: str) -> str:
"""Get OAuth2 authorization URL"""
pass
@abstractmethod
async def exchange_code_for_token(self, code: str, state: str) -> Dict[str, Any]:
"""Exchange authorization code for access token"""
pass
@abstractmethod
async def get_user_info(self, access_token: str) -> Dict[str, Any]:
"""Get user information from provider"""
pass
class GoogleOAuth2Provider(OAuth2Provider):
"""Google OAuth2 provider implementation"""
AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
TOKEN_URL = "https://oauth2.googleapis.com/token"
USER_INFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo"
def get_authorization_url(self, state: str) -> str:
params = {
"client_id": self.client_id,
"redirect_uri": self.redirect_uri,
"response_type": "code",
"scope": " ".join(self.scopes),
"state": state,
"access_type": "offline",
"prompt": "consent"
}
return f"{self.AUTH_URL}?{urlencode(params)}"
async def exchange_code_for_token(self, code: str, state: str) -> Dict[str, Any]:
async with httpx.AsyncClient() as client:
data = {
"client_id": self.client_id,
"client_secret": self.client_secret,
"code": code,
"grant_type": "authorization_code",
"redirect_uri": self.redirect_uri
}
response = await client.post(self.TOKEN_URL, data=data)
response.raise_for_status()
return response.json()
async def get_user_info(self, access_token: str) -> Dict[str, Any]:
async with httpx.AsyncClient() as client:
headers = {"Authorization": f"Bearer {access_token}"}
response = await client.get(
self.USER_INFO_URL,
headers=headers
)
response.raise_for_status()
return response.json()
class GitHubOAuth2Provider(OAuth2Provider):
"""GitHub OAuth2 provider implementation"""
AUTH_URL = "https://github.com/login/oauth/authorize"
TOKEN_URL = "https://github.com/login/oauth/access_token"
USER_INFO_URL = "https://api.github.com/user"
def get_authorization_url(self, state: str) -> str:
params = {
"client_id": self.client_id,
"redirect_uri": self.redirect_uri,
"response_type": "code",
"scope": " ".join(self.scopes),
"state": state
}
return f"{self.AUTH_URL}?{urlencode(params)}"
async def exchange_code_for_token(self, code: str, state: str) -> Dict[str, Any]:
async with httpx.AsyncClient() as client:
headers = {"Accept": "application/json"}
data = {
"client_id": self.client_id,
"client_secret": self.client_secret,
"code": code,
"grant_type": "authorization_code"
}
response = await client.post(
self.TOKEN_URL,
headers=headers,
data=data
)
response.raise_for_status()
return response.json()
async def get_user_info(self, access_token: str) -> Dict[str, Any]:
async with httpx.AsyncClient() as client:
headers = {
"Authorization": f"token {access_token}",
"User-Agent": "MyApp"
}
response = await client.get(
self.USER_INFO_URL,
headers=headers
)
response.raise_for_status()
return response.json()
def create_oauth2_provider(
provider: str,
client_id: str,
client_secret: str,
redirect_uri: str,
scopes: list
) -> OAuth2Provider:
"""Factory method to create OAuth2 provider"""
providers = {
"google": GoogleOAuth2Provider,
"github": GitHubOAuth2Provider,
}
provider_class = providers.get(provider.lower())
if not provider_class:
raise ValueError(f"Unsupported OAuth2 provider: {provider}")
return provider_class(
client_id=client_id,
client_secret=client_secret,
redirect_uri=redirect_uri,
scopes=scopes
)
3. Role-Based Access Control (RBAC)
from enum import Enum
from typing import List, Dict, Set, Optional
from dataclasses import dataclass
from functools import wraps
import inspect
class Permission(str, Enum):
"""Permission identifiers"""
READ = "read"
WRITE = "write"
DELETE = "delete"
ADMIN = "admin"
CREATE = "create"
UPDATE = "update"
MANAGE_USERS = "manage_users"
MANAGE_ROLES = "manage_roles"
VIEW_AUDIT_LOGS = "view_audit_logs"
class Role(str, Enum):
"""User roles"""
ANONYMOUS = "anonymous"
USER = "user"
MODERATOR = "moderator"
ADMIN = "admin"
SUPER_ADMIN = "super_admin"
@dataclass
class RolePermission:
"""Role to permissions mapping"""
role: Role
permissions: Set[Permission]
class RBACManager:
"""Role-Based Access Control Manager"""
def __init__(self):
self._role_permissions = self._initialize_roles()
self._user_roles: Dict[str, Set[Role]] = {}
def _initialize_roles(self) -> Dict[Role, Set[Permission]]:
"""Initialize default roles and permissions"""
return {
Role.ANONYMOUS: {Permission.READ},
Role.USER: {
Permission.READ,
Permission.WRITE,
Permission.CREATE,
Permission.UPDATE,
Permission.DELETE
},
Role.MODERATOR: {
Permission.READ,
Permission.WRITE,
Permission.CREATE,
Permission.UPDATE,
Permission.DELETE,
Permission.MANAGE_ROLES
},
Role.ADMIN: {
Permission.READ,
Permission.WRITE,
Permission.CREATE,
Permission.UPDATE,
Permission.DELETE,
Permission.MANAGE_USERS,
Permission.MANAGE_ROLES,
Permission.VIEW_AUDIT_LOGS
},
Role.SUPER_ADMIN: {
Permission.ADMIN,
}
}
def assign_role_to_user(self, user_id: str, role: Role):
"""Assign role to user"""
if user_id not in self._user_roles:
self._user_roles[user_id] = set()
self._user_roles[user_id].add(role)
def remove_role_from_user(self, user_id: str, role: Role):
"""Remove role from user"""
if user_id in self._user_roles:
self._user_roles[user_id].discard(role)
def get_user_permissions(self, user_id: str) -> Set[Permission]:
"""Get all permissions for a user based on their roles"""
permissions = set()
roles = self._user_roles.get(user_id, {Role.ANONYMOUS})
for role in roles:
role_perms = self._role_permissions.get(role, set())
permissions.update(role_perms)
return permissions
def has_permission(
self,
user_id: str,
permission: Permission,
resource_owner_id: Optional[str] = None
) -> bool:
"""Check if user has permission"""
permissions = self.get_user_permissions(user_id)
if Permission.ADMIN in permissions:
return True
if permission in {Permission.READ, Permission.WRITE, Permission.DELETE}:
if resource_owner_id and user_id == resource_owner_id:
return True
return permission in permissions
def requires_permission(permission: Permission, resource_owner_param: Optional[str] = None):
"""Decorator to check if user has required permission"""
def decorator(func):
@wraps(func)
async def wrapper(*args, **kwargs):
current_user_id = kwargs.get("current_user_id")
if not current_user_id:
raise PermissionError("Authentication required")
resource_owner_id = None
if resource_owner_param:
resource_owner_id = kwargs.get(resource_owner_param)
rbac = RBACManager()
if not rbac.has_permission(
current_user_id,
permission,
resource_owner_id
):
raise PermissionError(
f"Permission denied. Requires: {permission.value}"
)
return await func(*args, **kwargs)
return wrapper
return decorator
@requires_permission(Permission.DELETE, "user_id")
async def delete_user(user_id: str, current_user_id: str):
"""Delete user (only owner or admin)"""
pass
4. Multi-Factor Authentication (MFA)
import pyotp
import qrcode
import io
import base64
from typing import Optional
from fastapi import HTTPException
from enum import Enum
class MFAMethod(str, Enum):
TOTP = "totp"
SMS = "sms"
EMAIL = "email"
PUSH = "push"
class MFAService:
"""Multi-Factor Authentication service"""
def __init__(self):
self.totp_window = 1
def generate_totp_secret(self) -> str:
"""Generate new TOTP secret for user"""
return pyotp.random_base32()
def generate_qr_code(self, user_email: str, secret: str) -> str:
"""Generate QR code for TOTP setup"""
totp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
name=user_email,
issuer_name="MyApp"
)
qr = qrcode.QRCode(version=1, box_size=10, border=5)
qr.add_data(totp_uri)
img = qr.make_image(fill_color="black", back_color="white")
buffer = io.BytesIO()
img.save(buffer, format="PNG")
img_str = base64.b64encode(buffer.getvalue()).decode()
return f"data:image/png;base64,{img_str}"
def verify_totp(self, secret: str, token: str) -> bool:
"""Verify TOTP token"""
totp = pyotp.TOTP(secret)
return totp.verify(token, valid_window=self.totp_window)
def generate_backup_codes(self, count: int = 10) -> List[str]:
"""Generate backup codes for MFA recovery"""
codes = []
for _ in range(count):
code = f"{secrets.randbelow(10**6):06d}"
codes.append(code)
return codes
def verify_backup_code(
self,
provided_code: str,
backup_codes: List[str]
) -> bool:
"""Verify backup code and remove it if valid"""
if provided_code in backup_codes:
backup_codes.remove(provided_code)
return True
return False
async def send_sms_code(self, phone_number: str, code: str):
"""Send SMS verification code (using SMS service)"""
pass
async def send_email_code(self, email: str, code: str):
"""Send email verification code"""
pass
5. Security Middleware
from fastapi import Request, HTTPException
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from starlette.middleware.base import BaseHTTPMiddleware
import time
import logging
logger = logging.getLogger(__name__)
class SecurityHeadersMiddleware(BaseHTTPMiddleware):
"""Add security headers to all responses"""
async def dispatch(self, request, call_next):
response = await call_next(request)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-XSS-Protection"] = "1; mode=block"
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
response.headers["Content-Security-Policy"] = (
"default-src 'self'; "
"script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
"style-src 'self' 'unsafe-inline'; "
"img-src 'self' data: https:; "
"font-src 'self' data:; "
"connect-src 'self' https://api.example.com; "
"frame-ancestors 'none'"
)
response.headers.pop("Server", None)
response.headers.pop("X-Powered-By", None)
return response
class RateLimitMiddleware(BaseHTTPMiddleware):
"""Rate limiting middleware"""
def __init__(self, app, calls: int = 100, period: int = 60):
super().__init__(app)
self.calls = calls
self.period = period
self.clients = {}
async def dispatch(self, request, call_next):
client_ip = request.client.host
current_time = time.time()
self.clients = {
ip: times for ip, times in self.clients.items()
if current_time - max(times) < self.period
}
if client_ip in self.clients:
recent_calls = [
t for t in self.clients[client_ip]
if current_time - t < self.period
]
if len(recent_calls) >= self.calls:
raise HTTPException(
status_code=429,
detail="Rate limit exceeded"
)
self.clients[client_ip] = recent_calls + [current_time]
else:
self.clients[client_ip] = [current_time]
return await call_next(request)
class AuditLoggingMiddleware(BaseHTTPMiddleware):
"""Audit logging middleware"""
def __init__(self, app, sensitive_fields: list = None):
super().__init__(app)
self.sensitive_fields = sensitive_fields or [
"password", "token", "secret", "key"
]
async def dispatch(self, request, call_next):
start_time = time.time()
request_data = {
"method": request.method,
"url": str(request.url),
"headers": dict(request.headers),
"client_ip": request.client.host
}
self._remove_sensitive_data(request_data)
logger.info(f"Request: {request_data}")
try:
response = await call_next(request)
duration = time.time() - start_time
response_data = {
"status_code": response.status_code,
"duration": f"{duration:.3f}s"
}
logger.info(f"Response: {response_data}")
return response
except Exception as e:
logger.error(f"Error: {str(e)}", exc_info=True)
raise
def _remove_sensitive_data(self, data: dict):
"""Remove sensitive data from logs"""
if isinstance(data, dict):
for key in self.sensitive_fields:
if key in data:
data[key] = "[REDACTED]"
for value in data.values():
if isinstance(value, dict):
self._remove_sensitive_data(value)
elif isinstance(data, list):
for item in data:
if isinstance(item, dict):
self._remove_sensitive_data(item)
6. Zero-Trust Security Patterns
from typing import Optional, Dict, Any, List
import ipaddress
from datetime import datetime, timedelta
class ZeroTrustManager:
"""Zero-trust security manager"""
def __init__(self):
self.trusted_networks = self._load_trusted_networks()
self.device_policies = self._load_device_policies()
def validate_access_request(
self,
request_data: Dict[str, Any]
) -> Dict[str, Any]:
"""Validate access request with zero-trust principles"""
validation_result = {
"allowed": False,
"risk_score": 0,
"factors": []
}
device_trust = self._validate_device(request_data)
validation_result["factors"].append(device_trust)
network_trust = self._validate_network(request_data)
validation_result["factors"].append(network_trust)
behavior_trust = self._analyze_behavior(request_data)
validation_result["factors"].append(behavior_trust)
time_trust = self._validate_timing(request_data)
validation_result["factors"].append(time_trust)
validation_result["risk_score"] = sum(
factor["risk"] for factor in validation_result["factors"]
)
validation_result["allowed"] = (
validation_result["risk_score"] < 50 and
all(factor["trusted"] for factor in validation_result["factors"])
)
return validation_result
def _validate_device(self, request_data: Dict[str, Any]) -> Dict[str, Any]:
"""Validate device trust"""
device_id = request_data.get("device_id")
user_agent = request_data.get("user_agent")
if not device_id:
return {"trusted": False, "risk": 30, "reason": "No device ID"}
device_trusted = self._is_device_trusted(device_id, user_agent)
return {
"trusted": device_trusted,
"risk": 0 if device_trusted else 20,
"reason": "Unknown device"
}
def _validate_network(self, request_data: Dict[str, Any]) -> Dict[str, Any]:
"""Validate network trust"""
client_ip = request_data.get("client_ip")
try:
ip_obj = ipaddress.ip_address(client_ip)
except ValueError:
return {"trusted": False, "risk": 40, "reason": "Invalid IP"}
for trusted_network in self.trusted_networks:
if ip_obj in trusted_network:
return {"trusted": True, "risk": 0, "reason": "Trusted network"}
if ip_obj.is_private:
return {"trusted": True, "risk": 5, "reason": "Private network"}
return {"trusted": False, "risk": 15, "reason": "Untrusted network"}
def _analyze_behavior(self, request_data: Dict[str, Any]) -> Dict[str, Any]:
"""Analyze user behavior for anomalies"""
user_id = request_data.get("user_id")
location = request_data.get("location")
timestamp = request_data.get("timestamp", datetime.utcnow())
anomalies = self._detect_behavioral_anomalies(user_id, location, timestamp)
return {
"trusted": len(anomalies) == 0,
"risk": min(len(anomalies) * 10, 30),
"reason": f"Anomalies detected: {anomalies}"
}
def _validate_timing(self, request_data: Dict[str, Any]) -> Dict[str, Any]:
"""Validate request timing"""
timestamp = request_data.get("timestamp", datetime.utcnow())
hour = timestamp.hour
if hour < 6 or hour > 22:
return {
"trusted": True,
"risk": 10,
"reason": "Off-hours access"
}
return {"trusted": True, "risk": 0, "reason": "Normal hours"}
def _is_device_trusted(self, device_id: str, user_agent: str) -> bool:
"""Check if device is trusted"""
return True
def _detect_behavioral_anomalies(
self,
user_id: str,
location: Optional[str],
timestamp: datetime
) -> List[str]:
"""Detect behavioral anomalies"""
anomalies = []
return anomalies
def _load_trusted_networks(self):
"""Load trusted network ranges"""
return [
ipaddress.ip_network("192.168.1.0/24"),
ipaddress.ip_network("10.0.0.0/8"),
ipaddress.ip_network("172.16.0.0/12"),
]
def _load_device_policies(self):
"""Load device security policies"""
return {
"require_device_trust": True,
"max_devices_per_user": 5,
"session_timeout": 3600
}
7. Production Security Checklist
authentication:
jwt:
secret_key_length: 32
algorithm: HS256
access_token_expiry: 15m
refresh_token_expiry: 7d
refresh_rotation: true
password:
min_length: 12
complexity_requirements:
- uppercase
- lowercase
- numbers
- special_characters
hash_algorithm: pbkdf2_sha256
rounds: 120000
mfa:
required_for_admin: true
optional_for_users: true
backup_codes_count: 10
oauth2:
providers:
- google
- github
- microsoft
state_validation: true
pkce: true
security:
headers:
strict_transport_security: true
content_security_policy: true
x_frame_options: deny
x_xss_protection: true
rate_limiting:
default: 100/minute
auth_endpoints: 10/minute
admin_endpoints: 5/minute
session_management:
idle_timeout: 30m
absolute_timeout: 8h
concurrent_sessions: 3
audit_logging:
log_all_auth_events: true
log_sensitive_data: false
retention_period: 90d
zero_trust:
device_validation: true
network_validation: true
behavioral_analysis: true
risk_scoring: true
encryption:
at_rest: AES-256
in_transit: TLS-1.3
key_rotation: 90d
secrets_management:
use_vault: true
environment_variables: false
rotation_enabled: true
This comprehensive authentication skill provides modern security patterns for 2025, including JWT tokens, OAuth2 integration, RBAC, MFA, zero-trust principles, and production-ready security middleware that can be implemented across any web application framework.
