---

name: auth-patterns description: Authentication and authorization patterns. Use when implementing login flows, JWT tokens, session management, password security, OAuth 2.1, Passkeys/WebAuthn, or role-based access control. context: fork agent: security-auditor version: 2.0.0 tags: [security, authentication, oauth, passkeys, 2026] allowed-tools:

• Read
• Grep
• Glob
• Write
• Edit
• Bash author: OrchestKit user-invocable: false

---

Authentication Patterns

Implement secure authentication with OAuth 2.1, Passkeys, and modern security standards.

Overview

• Login/signup flows
• JWT token management
• Session security
• OAuth 2.1 with PKCE
• Passkeys/WebAuthn
• Multi-factor authentication
• Role-based access control

Quick Reference

Password Hashing (Argon2id)

Copyfrom argon2 import PasswordHasher
ph = PasswordHasher()
password_hash = ph.hash(password)
ph.verify(password_hash, password)

JWT Access Token

Copyimport jwt
from datetime import datetime, timedelta, timezone
payload = {
    'user_id': user_id,
    'type': 'access',
    'exp': datetime.now(timezone.utc) + timedelta(minutes=15),
}
token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')

OAuth 2.1 with PKCE (Required)

Copyimport hashlib, base64, secrets
code_verifier = secrets.token_urlsafe(64)
digest = hashlib.sha256(code_verifier.encode()).digest()
code_challenge = base64.urlsafe_b64encode(digest).rstrip(b'=').decode()

Session Security

Copyapp.config['SESSION_COOKIE_SECURE'] = True      # HTTPS only
app.config['SESSION_COOKIE_HTTPONLY'] = True    # No JS access
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'

Token Expiry (2026 Guidelines)

Anti-Patterns (FORBIDDEN)

Copy# ❌ NEVER store passwords in plaintext
user.password = request.form['password']

# ❌ NEVER use implicit OAuth grant
response_type=token  # Deprecated in OAuth 2.1

# ❌ NEVER skip rate limiting on login
@app.route('/login')  # No rate limit!

# ❌ NEVER reveal if email exists
return "Email not found"  # Information disclosure

# ✅ ALWAYS use Argon2id or bcrypt
password_hash = ph.hash(password)

# ✅ ALWAYS use PKCE
code_challenge=challenge&code_challenge_method=S256

# ✅ ALWAYS rate limit auth endpoints
@limiter.limit("5 per minute")

# ✅ ALWAYS use generic error messages
return "Invalid credentials"

Key Decisions

Detailed Documentation

Related Skills

• owasp-top-10 - Security fundamentals
• input-validation - Data validation
• api-design-framework - API security

Capability Details

password-hashing

Keywords: password, hashing, bcrypt, argon2, hash Solves:

• Securely hash passwords with modern algorithms
• Configure appropriate cost factors
• Migrate legacy password hashes

jwt-tokens

Keywords: JWT, token, access token, claims, jsonwebtoken Solves:

• Generate and validate JWT access tokens
• Implement proper token expiration
• Handle token refresh securely

oauth2-pkce

Keywords: OAuth, PKCE, OAuth 2.1, authorization code, code verifier Solves:

• Implement OAuth 2.1 with PKCE flow
• Secure authorization for SPAs and mobile apps
• Handle OAuth provider integration

passkeys-webauthn

Keywords: passkey, WebAuthn, FIDO2, passwordless, biometric Solves:

• Implement passwordless authentication
• Configure WebAuthn registration and login
• Support cross-device passkeys

session-management

Keywords: session, cookie, session storage, logout, invalidate Solves:

• Manage user sessions securely
• Implement session invalidation on logout
• Handle concurrent sessions

role-based-access

Keywords: RBAC, role, permission, authorization, access control Solves:

• Implement role-based access control
• Define permission hierarchies
• Check authorization in routes