securing-authentication
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuthentication & Security
身份验证与安全
Implement modern authentication, authorization, and API security across Python, Rust, Go, and TypeScript.
在Python、Rust、Go和TypeScript技术栈中实现现代化的身份验证、授权及API安全方案。
When to Use This Skill
何时使用本技能
Use this skill when:
- Building user authentication systems (login, signup, SSO)
- Implementing authorization (roles, permissions, access control)
- Securing APIs (JWT validation, rate limiting)
- Adding passwordless auth (Passkeys/WebAuthn)
- Migrating from password-based to modern auth
- Integrating enterprise SSO (SAML, OIDC)
- Implementing fine-grained permissions (RBAC, ABAC, ReBAC)
以下场景适用本技能:
- 构建用户身份验证系统(登录、注册、SSO单点登录)
- 实现授权机制(角色、权限、访问控制)
- 保护API安全(JWT验证、速率限制)
- 添加无密码认证(Passkeys/WebAuthn)
- 从基于密码的认证迁移至现代化认证方案
- 集成企业级SSO(SAML、OIDC)
- 实现细粒度权限控制(RBAC、ABAC、ReBAC)
OAuth 2.1 Mandatory Requirements (2025 Standard)
OAuth 2.1 强制要求(2025标准)
┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘Critical: PKCE is now mandatory for ALL OAuth flows, not just public clients.
┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘重要提示: PKCE现已成为所有OAuth流程的强制要求,而非仅适用于公开客户端。
JWT Best Practices
JWT最佳实践
Signing Algorithms (Priority Order)
签名算法(优先级排序)
-
EdDSA with Ed25519 (Recommended)
- Fastest performance
- Smallest signature size
- Modern cryptography
-
ES256 (ECDSA with P-256)
- Good performance
- Industry standard
- Wide compatibility
-
RS256 (RSA)
- Legacy compatibility
- Larger signatures
- Slower performance
NEVER allow or algorithm switching attacks.
alg: none-
EdDSA(基于Ed25519)(推荐)
- 性能最优
- 签名尺寸最小
- 现代加密标准
-
ES256(基于P-256的ECDSA)
- 性能良好
- 行业标准
- 兼容性广泛
-
RS256(RSA)
- 遗留系统兼容性
- 签名尺寸较大
- 性能较慢
绝对禁止允许或算法切换攻击。
alg: noneToken Lifetimes (Concrete Values)
Token有效期(具体值)
- Access token: 5-15 minutes
- Refresh token: 1-7 days with rotation
- ID token: Same as access token (5-15 minutes)
Refresh token rotation: Each refresh generates new access AND refresh tokens, invalidating the old refresh token.
- Access token:5-15分钟
- Refresh token:1-7天(带轮换机制)
- ID token:与Access token一致(5-15分钟)
Refresh token轮换机制:每次刷新操作生成新的Access token和Refresh token,并作废旧的Refresh token。
Token Storage
Token存储
- Access token: Memory only (never localStorage)
- Refresh token: HTTP-only cookie + SameSite=Strict
- CSRF token: Separate non-HTTP-only cookie
- Never log tokens: Redact in application logs
- Access token:仅存于内存(绝不能存于localStorage)
- Refresh token:HTTP-only Cookie + SameSite=Strict
- CSRF token:独立的非HTTP-only Cookie
- 禁止记录Token:在应用日志中需脱敏处理
JWT Claims (Required)
JWT必填声明
json
{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}json
{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}Password Hashing with Argon2id
基于Argon2id的密码哈希
OWASP 2025 Parameters
OWASP 2025参数
Algorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250msAlgorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250msImplementation
实现方式
For concrete implementations, see .
references/password-hashing.mdKey Points:
- Argon2id is hybrid: data-independent timing + memory-hard
- Tune memory cost to achieve 150-250ms on YOUR hardware
- Use timing-safe comparison for verification
- Migrate from bcrypt gradually (verify with old, rehash with new)
具体实现请参考。
references/password-hashing.md核心要点:
- Argon2id为混合算法:具备数据无关计时特性+内存密集型
- 根据自身硬件调整内存成本,使哈希时间达到150-250ms
- 验证时使用计时安全的比较方法
- 逐步从bcrypt迁移(用旧算法验证,用新算法重新哈希)
Passkeys / WebAuthn
Passkeys / WebAuthn
Passkeys provide phishing-resistant, passwordless authentication using FIDO2/WebAuthn.
Passkeys基于FIDO2/WebAuthn标准,提供防钓鱼的无密码认证方案。
When to Use Passkeys
何时使用Passkeys
- User-facing applications prioritizing security
- Reducing password-related support burden
- Mobile-first applications (biometric auth)
- Applications requiring MFA without SMS
- 优先考虑安全性的面向用户应用
- 降低密码相关的支持成本
- 移动优先应用(生物识别认证)
- 无需SMS的多因素认证场景
Cross-Device Passkey Sync
跨设备Passkeys同步
- iCloud Keychain: Apple ecosystem (iOS 16+, macOS 13+)
- Google Password Manager: Android, Chrome
- 1Password, Bitwarden: Third-party password managers
For implementation guide, see .
references/passkeys-webauthn.md- iCloud Keychain:苹果生态系统(iOS 16+、macOS 13+)
- Google Password Manager:Android、Chrome浏览器
- 1Password、Bitwarden:第三方密码管理器
实现指南请参考。
references/passkeys-webauthn.mdAuthorization Models
授权模型
┌─────────────────────────────────────────────────────────────┐
│ Authorization Model Selection │
├─────────────────────────────────────────────────────────────┤
│ │
│ Simple Roles (<20 roles) │
│ └─ RBAC with Casbin (embedded, any language) │
│ Example: Admin, User, Guest │
│ │
│ Complex Attribute Rules │
│ └─ ABAC with OPA or Cerbos │
│ Example: "Allow if user.clearance >= doc.level │
│ AND user.dept == doc.dept" │
│ │
│ Relationship-Based (Multi-Tenant, Collaborative) │
│ └─ ReBAC with SpiceDB (Zanzibar model) │
│ Example: "Can edit if member of doc's workspace │
│ AND workspace.plan includes feature" │
│ Use cases: Notion-like, GitHub-like permissions │
│ │
│ Kubernetes / Infrastructure Policies │
│ └─ OPA (Gatekeeper for admission control) │
│ Example: Enforce pod security policies │
│ │
└─────────────────────────────────────────────────────────────┘For detailed comparison, see .
references/authorization-patterns.md┌─────────────────────────────────────────────────────────────┐
│ 授权模型选择指南 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 简单角色(少于20个角色) │
│ └─ 搭配Casbin的RBAC模型(嵌入式,支持任意语言) │
│ 示例:管理员、普通用户、访客 │
│ │
│ 复杂属性规则 │
│ └─ 搭配OPA或Cerbos的ABAC模型 │
│ 示例:"当用户权限等级 >= 文档等级 且 │
│ 用户部门 == 文档所属部门时允许访问" │
│ │
│ 关系型授权(多租户、协作场景) │
│ └─ 搭配SpiceDB的ReBAC模型(Zanzibar模型) │
│ 示例:"若用户是文档工作区成员 且 │
│ 工作区套餐包含该功能,则允许编辑" │
│ 适用场景:类Notion、类GitHub的权限系统 │
│ │
│ Kubernetes / 基础设施策略 │
│ └─ OPA(Gatekeeper用于准入控制) │
│ 示例:强制执行Pod安全策略 │
│ │
└─────────────────────────────────────────────────────────────┘详细对比请参考。
references/authorization-patterns.mdLibrary Selection by Language
按语言选择库
TypeScript
TypeScript
| Use Case | Library | Context7 ID | Trust | Notes |
|---|---|---|---|---|
| Auth Framework | Auth.js v5 | | 87.4 | Multi-framework (Next, Svelte, Solid) |
| JWT | jose 5.x | - | - | EdDSA, ES256, RS256 support |
| Passkeys | @simplewebauthn/server 11.x | - | - | FIDO2 server |
| Validation | Zod 3.x | | 90.4 | Schema validation |
| Policy Engine | Casbin.js 1.x | - | - | RBAC/ABAC embedded |
| 使用场景 | 库 | Context7 ID | 可信度 | 说明 |
|---|---|---|---|---|
| 认证框架 | Auth.js v5 | | 87.4 | 多框架支持(Next、Svelte、Solid) |
| JWT处理 | jose 5.x | - | - | 支持EdDSA、ES256、RS256 |
| Passkeys实现 | @simplewebauthn/server 11.x | - | - | FIDO2服务端 |
| 验证 | Zod 3.x | | 90.4 | Schema验证 |
| 策略引擎 | Casbin.js 1.x | - | - | 嵌入式RBAC/ABAC支持 |
Python
Python
| Use Case | Library | Notes |
|---|---|---|
| Auth Framework | Authlib 1.3+ | OAuth/OIDC client + server |
| JWT | joserfc 1.x | Modern, maintained |
| Passkeys | py_webauthn 2.x | WebAuthn server |
| Password Hashing | argon2-cffi 24.x | OWASP parameters |
| Validation | Pydantic 2.x | FastAPI integration |
| Policy Engine | PyCasbin 1.x | RBAC/ABAC embedded |
| 使用场景 | 库 | 说明 |
|---|---|---|
| 认证框架 | Authlib 1.3+ | OAuth/OIDC客户端+服务端 |
| JWT处理 | joserfc 1.x | 现代化、维护活跃 |
| Passkeys实现 | py_webauthn 2.x | WebAuthn服务端 |
| 密码哈希 | argon2-cffi 24.x | 符合OWASP参数标准 |
| 验证 | Pydantic 2.x | 与FastAPI集成 |
| 策略引擎 | PyCasbin 1.x | 嵌入式RBAC/ABAC支持 |
Rust
Rust
| Use Case | Library | Notes |
|---|---|---|
| JWT | jsonwebtoken 10.x | EdDSA, ES256, RS256 |
| OAuth Client | oauth2 5.x | OAuth 2.1 flows |
| Passkeys | webauthn-rs 0.5.x | WebAuthn + attestation |
| Password Hashing | argon2 0.5.x | Native Argon2id |
| Policy Engine | Casbin-RS 2.x | RBAC/ABAC embedded |
| 使用场景 | 库 | 说明 |
|---|---|---|
| JWT处理 | jsonwebtoken 10.x | 支持EdDSA、ES256、RS256 |
| OAuth客户端 | oauth2 5.x | 支持OAuth 2.1流程 |
| Passkeys实现 | webauthn-rs 0.5.x | WebAuthn + 认证声明 |
| 密码哈希 | argon2 0.5.x | 原生Argon2id实现 |
| 策略引擎 | Casbin-RS 2.x | 嵌入式RBAC/ABAC支持 |
Go
Go
| Use Case | Library | Notes |
|---|---|---|
| JWT | golang-jwt v5 | Community-maintained |
| OAuth Client | go-oidc v3 | OIDC client only |
| Passkeys | go-webauthn 0.11.x | Duo-maintained |
| Password Hashing | golang.org/x/crypto/argon2 | Standard library |
| Policy Engine | Casbin v2 | Original implementation |
| 使用场景 | 库 | 说明 |
|---|---|---|
| JWT处理 | golang-jwt v5 | 社区维护 |
| OAuth客户端 | go-oidc v3 | 仅OIDC客户端 |
| Passkeys实现 | go-webauthn 0.11.x | 由Duo维护 |
| 密码哈希 | golang.org/x/crypto/argon2 | 标准库实现 |
| 策略引擎 | Casbin v2 | 原始实现 |
Managed Auth Services
托管式认证服务
| Service | Best For | Key Features |
|---|---|---|
| Clerk | Rapid development, startups | Prebuilt UI, Next.js SDK |
| Auth0 | Enterprise, established | 25+ social providers, SSO |
| WorkOS AuthKit | B2B SaaS, enterprise SSO | SAML/SCIM, admin portal |
| Supabase Auth | Postgres users | Built on Postgres, RLS |
For detailed comparison, see .
references/managed-auth-comparison.md| 服务 | 最佳适用场景 | 核心特性 |
|---|---|---|
| Clerk | 快速开发、初创公司 | 预构建UI、Next.js SDK |
| Auth0 | 企业级、成熟项目 | 25+社交登录提供商、SSO |
| WorkOS AuthKit | B2B SaaS、企业级SSO | SAML/SCIM支持、管理门户 |
| Supabase Auth | Postgres用户 | 基于Postgres构建、RLS支持 |
详细对比请参考。
references/managed-auth-comparison.mdSelf-Hosted Solutions
自托管方案
| Solution | Language | Use Case |
|---|---|---|
| Keycloak | Java | Enterprise, on-prem |
| Ory | Go | Cloud-native, microservices |
| Authentik | Python | Modern, developer-friendly |
For setup guides, see .
references/self-hosted-auth.md| 方案 | 开发语言 | 适用场景 |
|---|---|---|
| Keycloak | Java | 企业级、本地部署 |
| Ory | Go | 云原生、微服务 |
| Authentik | Python | 现代化、开发者友好 |
部署指南请参考。
references/self-hosted-auth.mdAPI Security Best Practices
API安全最佳实践
Rate Limiting
速率限制
typescript
// Tiered rate limiting (per IP + per user)
const rateLimits = {
anonymous: '10 requests/minute',
authenticated: '100 requests/minute',
premium: '1000 requests/minute',
}Use sliding window algorithm (not fixed window) with Redis.
typescript
// 分层速率限制(按IP + 按用户)
const rateLimits = {
anonymous: '10 requests/minute',
authenticated: '100 requests/minute',
premium: '1000 requests/minute',
}使用滑动窗口算法(而非固定窗口),搭配Redis实现。
CORS Configuration
CORS配置
typescript
// Restrictive CORS (production)
const corsOptions = {
origin: ['https://app.example.com'],
credentials: true,
maxAge: 86400, // 24 hours
allowedHeaders: ['Content-Type', 'Authorization'],
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
}
// NEVER use origin: '*' with credentials: truetypescript
// 生产环境严格CORS配置
const corsOptions = {
origin: ['https://app.example.com'],
credentials: true,
maxAge: 86400, // 24小时
allowedHeaders: ['Content-Type', 'Authorization'],
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
}
// 绝对禁止在credentials: true时设置origin: '*'Security Headers
安全头
typescript
const securityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Content-Security-Policy': "default-src 'self'; script-src 'self'",
}For complete API security guide, see .
references/api-security.mdtypescript
const securityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Content-Security-Policy': "default-src 'self'; script-src 'self'",
}完整API安全指南请参考。
references/api-security.mdFrontend Integration Patterns
前端集成模式
Protected Routes (Next.js)
受保护路由(Next.js)
typescript
// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token, req }) => {
if (req.nextUrl.pathname.startsWith('/dashboard')) {
return !!token
}
if (req.nextUrl.pathname.startsWith('/admin')) {
return token?.role === 'admin'
}
return true
},
},
})
export const config = {
matcher: ['/dashboard/:path*', '/admin/:path*'],
}typescript
// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token, req }) => {
if (req.nextUrl.pathname.startsWith('/dashboard')) {
return !!token
}
if (req.nextUrl.pathname.startsWith('/admin')) {
return token?.role === 'admin'
}
return true
},
},
})
export const config = {
matcher: ['/dashboard/:path*', '/admin/:path*'],
}Role-Based UI Rendering
基于角色的UI渲染
typescript
import { useSession } from 'next-auth/react'
export function AdminPanel() {
const { data: session } = useSession()
if (session?.user?.role !== 'admin') {
return null
}
return <div>Admin Controls</div>
}typescript
import { useSession } from 'next-auth/react'
export function AdminPanel() {
const { data: session } = useSession()
if (session?.user?.role !== 'admin') {
return null
}
return <div>管理员控制台</div>
}Common Workflows
常见工作流
1. OAuth 2.1 Integration
1. OAuth 2.1集成
- Generate PKCE challenge
- Redirect to authorization endpoint
- Handle callback with authorization code
- Exchange code for tokens (with code_verifier)
- Store tokens securely
- Implement refresh token rotation
See for complete implementation.
references/oauth21-guide.md- 生成PKCE挑战
- 重定向至授权端点
- 处理授权码回调
- 用code_verifier交换授权码获取Token
- 安全存储Token
- 实现Refresh token轮换机制
完整实现请参考。
references/oauth21-guide.md2. JWT Implementation
2. JWT实现
- Generate signing keys using
scripts/generate_jwt_keys.py - Configure token lifetimes (5-15 min access, 1-7 day refresh)
- Implement token validation middleware
- Set up refresh token rotation
- Configure token storage (memory for access, HTTP-only cookie for refresh)
See for detailed patterns.
references/jwt-best-practices.md- 使用生成签名密钥
scripts/generate_jwt_keys.py - 配置Token有效期(Access token 5-15分钟,Refresh token 1-7天)
- 实现Token验证中间件
- 搭建Refresh token轮换机制
- 配置Token存储方式(Access token存内存,Refresh token存HTTP-only Cookie)
详细模式请参考。
references/jwt-best-practices.md3. Passkeys Setup
3. Passkeys设置
- Register credential during signup/settings
- Generate challenge for registration
- Verify attestation
- Store credential ID and public key
- Implement authentication flow with assertion
See for runnable implementation.
examples/passkeys-demo/- 在注册/设置流程中注册凭证
- 生成注册挑战
- 验证认证声明
- 存储凭证ID和公钥
- 实现带断言的认证流程
可运行实现示例请参考。
examples/passkeys-demo/4. Authorization Engine Setup
4. 授权引擎搭建
- Choose engine (Casbin for simple RBAC, SpiceDB for ReBAC)
- Define schema/policies
- Implement check functions
- Integrate with route handlers
- Add audit logging
See for detailed comparison.
references/authorization-patterns.md- 选择引擎(简单RBAC用Casbin,ReBAC用SpiceDB)
- 定义Schema/策略
- 实现权限检查函数
- 与路由处理器集成
- 添加审计日志
详细对比请参考。
references/authorization-patterns.mdIntegration with Other Skills
与其他技能的集成
Forms Skill
表单技能
- Login/register forms with validation
- Error states for auth failures
- Password strength indicators
- Email validation
- 带验证的登录/注册表单
- 认证失败的错误状态处理
- 密码强度指示器
- 邮箱验证
API Patterns Skill
API模式技能
- JWT middleware integration
- Error response formats (401, 403)
- OpenAPI security schemas
- CORS configuration
- JWT中间件集成
- 错误响应格式(401、403)
- OpenAPI安全Schema
- CORS配置
Dashboards Skill
仪表盘技能
- Role-based widget visibility
- User profile display
- Permission-based data filtering
- Audit trail visualization
- 基于角色的组件可见性控制
- 用户资料展示
- 基于权限的数据过滤
- 审计轨迹可视化
Observability Skill
可观测性技能
- Auth event logging (login, logout, permission denied)
- Failed login tracking
- Token refresh monitoring
- Security incident alerting
- 认证事件日志(登录、登出、权限拒绝)
- 失败登录追踪
- Token刷新监控
- 安全事件告警
Scripts
脚本
Generate JWT Keys
生成JWT密钥
bash
python scripts/generate_jwt_keys.py --algorithm EdDSAGenerates EdDSA or ES256 key pairs for JWT signing.
bash
python scripts/generate_jwt_keys.py --algorithm EdDSA生成用于JWT签名的EdDSA或ES256密钥对。
Validate OAuth 2.1 Configuration
验证OAuth 2.1配置
bash
python scripts/validate_oauth_config.py --config oauth.jsonValidates OAuth 2.1 compliance (PKCE enabled, exact redirect URIs, etc.).
bash
python scripts/validate_oauth_config.py --config oauth.json验证OAuth 2.1合规性(是否启用PKCE、精确重定向URI等)。
Examples
示例
Auth.js + Next.js
Auth.js + Next.js
Complete implementation with OAuth providers, credentials, and session management.
Location:
examples/authjs-nextjs/包含OAuth提供商、凭证登录和会话管理的完整实现。
位置:
examples/authjs-nextjs/Keycloak + FastAPI
Keycloak + FastAPI
Self-hosted Keycloak with FastAPI integration via OIDC.
Location:
examples/keycloak-fastapi/自托管Keycloak与FastAPI的OIDC集成方案。
位置:
examples/keycloak-fastapi/Passkeys Demo
Passkeys演示
Runnable passkeys implementation with @simplewebauthn.
Location:
examples/passkeys-demo/基于@simplewebauthn的可运行Passkeys实现。
位置:
examples/passkeys-demo/Reference Documentation
参考文档
- - OAuth 2.1 implementation guide
references/oauth21-guide.md - - JWT generation, validation, storage
references/jwt-best-practices.md - - Passkeys/WebAuthn implementation
references/passkeys-webauthn.md - - RBAC, ABAC, ReBAC comparison
references/authorization-patterns.md - - Argon2id parameters, migration
references/password-hashing.md
- - OAuth 2.1实现指南
references/oauth21-guide.md - - JWT生成、验证、存储最佳实践
references/jwt-best-practices.md - - Passkeys/WebAuthn实现指南
references/passkeys-webauthn.md - - RBAC、ABAC、ReBAC对比
references/authorization-patterns.md - - Argon2id参数配置、迁移指南
references/password-hashing.md