moai-platform-auth

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Authentication Platform Specialist

认证平台专家

Comprehensive authentication and authorization guidance covering three major platforms: Auth0 (enterprise security), Clerk (modern UX), and Firebase Auth (mobile-first).

全面的认证与授权指南，覆盖三大主流平台：Auth0（企业级安全）、Clerk（现代用户体验）和Firebase Auth（移动优先）。

Quick Platform Selection

快速平台选择

Auth0 - Enterprise Security

Auth0 - 企业级安全

Enterprise-grade identity platform focused on security compliance and attack protection.

Best For: Enterprise applications requiring strong compliance (FAPI, GDPR, HIPAA), sophisticated attack protection, token security with sender constraining (DPoP/mTLS), multi-tenant B2B SaaS.

Key Strengths: Advanced attack protection (bot detection, breached passwords, brute force), adaptive MFA, compliance certifications (ISO 27001, SOC 2, FAPI), token security (DPoP, mTLS), extensive security monitoring.

Cost Model: Priced per monthly active user with enterprise features at higher tiers.

Context7 Library: /auth0/docs

专注于安全合规与攻击防护的企业级身份平台。

适用场景：需要强合规性（FAPI、GDPR、HIPAA）、复杂攻击防护、带发送方约束的令牌安全（DPoP/mTLS）的多租户B2B SaaS企业应用。

核心优势：高级攻击防护（机器人检测、泄露密码检测、暴力破解防护）、自适应MFA、合规认证（ISO 27001、SOC 2、FAPI）、令牌安全（DPoP、mTLS）、全面的安全监控。

定价模式：按月度活跃用户计费，高级企业功能在更高层级套餐中提供。

Context7 库：/auth0/docs

Clerk - Modern User Experience

Clerk - 现代用户体验

Modern authentication with beautiful pre-built UI components and WebAuthn support.

Best For: Modern web applications prioritizing developer experience and user experience, Next.js applications, applications requiring social login with minimal setup, passwordless authentication.

Key Strengths: Drop-in React components with beautiful UI, WebAuthn and passkeys support, seamless Next.js integration, organization management, simple API with excellent DX.

Cost Model: Free tier available, priced per monthly active user with generous limits.

Context7 Library: /clerk/clerk-docs

具备精美预构建UI组件和WebAuthn支持的现代认证方案。

适用场景：优先考虑开发者体验与用户体验的现代Web应用、Next.js应用、需要极简配置的社交登录应用、无密码认证应用。

核心优势：即插即用的React组件与精美UI、WebAuthn与通行密钥支持、与Next.js无缝集成、组织管理、简洁API与出色的开发者体验（DX）。

定价模式：提供免费套餐，按月度活跃用户计费，免费套餐额度充足。

Context7 库：/clerk/clerk-docs

Firebase Auth - Mobile-First Integration

Firebase Auth - 移动优先集成

Google ecosystem authentication with seamless Firebase services integration.

Best For: Mobile applications (iOS, Android, Flutter), Google ecosystem integration, serverless Cloud Functions, applications requiring anonymous auth with upgrade path, small to medium web applications.

Key Strengths: Native mobile SDKs for iOS/Android/Flutter, Google Sign-In integration, Firebase services integration (Firestore, Storage, Cloud Functions), phone authentication, free tier with generous limits.

Cost Model: Free tier with generous limits, pay-as-you-go for higher volumes.

Context7 Library: /firebase/firebase-docs

与Firebase服务无缝集成的谷歌生态认证方案。

适用场景：移动应用（iOS、Android、Flutter）、谷歌生态集成、无服务器Cloud Functions、需要匿名认证并可升级的应用、中小型Web应用。

核心优势：iOS/Android/Flutter原生移动SDK、谷歌登录集成、与Firebase服务（Firestore、Storage、Cloud Functions）无缝集成、电话认证、免费套餐额度充足。

定价模式：提供免费套餐且额度充足，高用量场景采用按需付费模式。

Context7 库：/firebase/firebase-docs

Quick Decision Guide

快速决策指南

Choose Auth0 when:

Enterprise security and compliance requirements are critical
Need sophisticated attack protection and security monitoring
Implementing sender-constrained tokens (DPoP, mTLS)
Supporting complex B2B multi-tenant scenarios
FAPI, GDPR, HIPAA, or PCI DSS compliance required

Choose Clerk when:

Building modern Next.js or React applications
Developer experience and beautiful UI are priorities
Need passwordless or WebAuthn authentication quickly
Want minimal authentication code in your application
Organization management with role-based access

Choose Firebase Auth when:

Building mobile-first applications
Already using Firebase ecosystem (Firestore, Storage, Functions)
Need Google Sign-In or Google ecosystem integration
Want anonymous authentication with upgrade path
Prefer serverless architecture with Cloud Functions

选择Auth0时：

企业级安全与合规要求为核心需求
需要复杂的攻击防护与安全监控
实现带发送方约束的令牌（DPoP、mTLS）
支持复杂的B2B多租户场景
需要符合FAPI、GDPR、HIPAA或PCI DSS合规标准

选择Clerk时：

构建现代Next.js或React应用
开发者体验与精美UI为优先项
需要快速实现无密码或WebAuthn认证
希望应用中认证代码最少化
需要带基于角色访问控制的组织管理

选择Firebase Auth时：

构建移动优先应用
已在使用Firebase生态（Firestore、Storage、Functions）
需要谷歌登录或谷歌生态集成
希望支持匿名认证并可升级账号
偏好无服务器架构与Cloud Functions

Common Authentication Patterns

通用认证模式

Universal Patterns

—

These patterns apply across all three platforms with platform-specific implementations.

Session Management:

All platforms support session persistence, refresh tokens, and session invalidation. Auth0 uses refresh token rotation, Clerk uses session tokens with automatic refresh, Firebase uses ID token refresh with custom claims.

Multi-Factor Authentication:

All platforms support multiple MFA factors including TOTP, SMS, and push notifications. Auth0 provides WebAuthn and adaptive MFA, Clerk provides WebAuthn with passkeys, Firebase provides phone verification and custom MFA.

Social Authentication:

All platforms support major social providers (Google, Facebook, GitHub, Apple). Auth0 requires connection configuration per provider, Clerk provides pre-configured social login buttons, Firebase requires OAuth configuration and SDK setup.

Role-Based Access Control:

All platforms support custom claims or metadata for authorization. Auth0 uses custom claims in JWT tokens with Actions, Clerk uses organization roles and metadata, Firebase uses custom claims with Admin SDK.

Token Management:

All platforms issue JWT tokens for API authorization. Auth0 provides access tokens with scopes and refresh tokens, Clerk provides session tokens via getToken(), Firebase provides ID tokens with custom claims.

这些模式适用于所有三个平台，各平台有特定实现方式。

会话管理：

所有平台均支持会话持久化、刷新令牌与会话失效。Auth0使用刷新令牌轮换，Clerk使用自动刷新的会话令牌，Firebase使用带自定义声明的ID令牌刷新。

多因素认证（MFA）：

所有平台均支持多种MFA因素，包括TOTP、短信与推送通知。Auth0提供WebAuthn与自适应MFA，Clerk提供带通行密钥的WebAuthn，Firebase提供电话验证与自定义MFA。

社交认证：

所有平台均支持主流社交提供商（谷歌、Facebook、GitHub、苹果）。Auth0需要为每个提供商配置连接，Clerk提供预配置的社交登录按钮，Firebase需要OAuth配置与SDK设置。

基于角色的访问控制（RBAC）：

所有平台均支持自定义声明或元数据用于授权。Auth0在JWT令牌中使用Actions添加自定义声明，Clerk使用组织角色与元数据，Firebase使用Admin SDK设置自定义声明。

令牌管理：

所有平台均颁发JWT令牌用于API授权。Auth0提供带作用域的访问令牌与刷新令牌，Clerk通过getToken()提供会话令牌，Firebase提供带自定义声明的ID令牌。

Security Best Practices

安全最佳实践

Applicable to all platforms:

Token Storage:

Never store tokens in localStorage on web (XSS vulnerability)
Use httpOnly cookies when possible
For SPAs, use memory storage with refresh token rotation
Mobile apps use secure storage (Keychain, Keystore)

HTTPS Enforcement:

Always use HTTPS in production
Configure secure redirect URIs
Enable HSTS headers

Token Validation:

Always validate token signatures
Verify token audience (aud claim)
Check token expiration (exp claim)
Validate issuer (iss claim)

Password Policies:

Enforce strong password requirements
Enable breached password detection
Implement account lockout after failed attempts
Use password strength indicators

API Security:

Require authentication for all protected endpoints
Implement rate limiting
Use scopes or permissions for authorization
Log authentication and authorization events

适用于所有平台：

令牌存储：

绝不在Web端的localStorage中存储令牌（存在XSS漏洞）
尽可能使用httpOnly Cookie
对于单页应用（SPA），使用内存存储配合刷新令牌轮换
移动应用使用安全存储（Keychain、Keystore）

HTTPS强制：

生产环境始终使用HTTPS
配置安全的重定向URI
启用HSTS头

令牌验证：

始终验证令牌签名
验证令牌受众（aud声明）
检查令牌过期时间（exp声明）
验证颁发者（iss声明）

密码策略：

强制执行强密码要求
启用泄露密码检测
多次失败尝试后锁定账号
使用密码强度指示器

API安全：

所有受保护端点均要求认证
实现速率限制
使用作用域或权限进行授权
记录认证与授权事件

Platform-Specific Implementation

平台特定实现

For detailed platform-specific implementation guidance, see the reference files:

如需详细的平台特定实现指南，请参阅参考文件：

Auth0 Implementation

Auth0 实现

File: reference/auth0.md

Covers attack protection configuration, MFA setup with WebAuthn and adaptive policies, token security with DPoP and mTLS sender constraining, compliance features for FAPI/GDPR/HIPAA, Security Center monitoring, and continuous session protection.

Key sections: Dashboard navigation, bot detection configuration, breached password detection, brute force protection, WebAuthn setup, token validation, DPoP implementation, mTLS certificate binding, compliance certifications.

文件：reference/auth0.md

涵盖攻击防护配置、WebAuthn与自适应策略的MFA设置、DPoP与mTLS发送方约束的令牌安全、FAPI/GDPR/HIPAA合规功能、安全中心监控与持续会话防护。

核心章节：控制台导航、机器人检测配置、泄露密码检测、暴力破解防护、WebAuthn设置、令牌验证、DPoP实现、mTLS证书绑定、合规认证。

Clerk Implementation

Clerk 实现

File: reference/clerk.md

Covers ClerkProvider setup for Next.js, authentication components (SignIn, SignUp, UserButton), route protection with middleware, useAuth and useUser hooks, server-side authentication, organization management, and Core 2 migration.

Key sections: Environment variables, middleware configuration, protecting routes, accessing user data, organization switching, custom authentication flows, webhook integration.

文件：reference/clerk.md

涵盖Next.js的ClerkProvider设置、认证组件（SignIn、SignUp、UserButton）、使用中间件保护路由、useAuth与useUser钩子、服务器端认证、组织管理与Core 2迁移。

核心章节：环境变量、中间件配置、路由保护、用户数据访问、组织切换、自定义认证流程、Webhook集成。

Firebase Auth Implementation

Firebase Auth 实现

File: reference/firebase-auth.md

Covers Firebase SDK initialization across platforms (Web, Flutter, iOS, Android), social authentication setup, phone authentication with SMS verification, anonymous auth with account linking, custom claims for RBAC, and Security Rules integration.

Key sections: Project setup, SDK initialization, Google Sign-In, Facebook Login, phone verification, custom claims management, Firestore and Storage rules, Cloud Functions triggers.

文件：reference/firebase-auth.md

涵盖跨平台（Web、Flutter、iOS、Android）的Firebase SDK初始化、社交认证设置、带短信验证的电话认证、带账号关联的匿名认证、用于RBAC的自定义声明、以及安全规则集成。

核心章节：项目设置、SDK初始化、谷歌登录、Facebook登录、电话验证、自定义声明管理、Firestore与Storage规则、Cloud Functions触发器。

Platform Comparison

平台对比

File: reference/comparison.md

Provides detailed comparison matrix covering features, pricing, use cases, migration considerations, and integration complexity.

Key sections: Feature comparison table, pricing breakdown, use case decision matrix, platform migration strategies, ecosystem integration, developer experience comparison.

文件：reference/comparison.md

提供详细的对比矩阵，涵盖功能、定价、适用场景、迁移注意事项与集成复杂度。

核心章节：功能对比表、定价明细、适用场景决策矩阵、平台迁移策略、生态集成、开发者体验对比。

Navigation Guide

导航指南

When working with authentication features:

Start with Quick Platform Selection (above) if choosing a platform
Review Common Authentication Patterns for universal concepts
Open platform-specific reference file for implementation details
Refer to comparison.md when evaluating multiple platforms
Use Context7 tools to access latest platform documentation

处理认证功能时：

若需选择平台，请先查看上方的快速平台选择
查看通用认证模式了解通用概念
打开对应平台的参考文件获取实现细节
评估多个平台时请参考comparison.md
使用Context7工具获取最新平台文档

Context7 Documentation Access

Context7 文档访问

Access up-to-date platform documentation using Context7 MCP:

Auth0:

Use resolve-library-id with "auth0" to get library ID
Use get-library-docs with topic "attack-protection", "mfa", "tokens", "compliance"

Clerk:

Use resolve-library-id with "clerk" to get library ID
Use get-library-docs with topic "nextjs", "react", "authentication"

Firebase Auth:

Use resolve-library-id with "firebase" to get library ID
Use get-library-docs with topic "authentication", "security-rules"

使用Context7 MCP获取最新平台文档：

Auth0:

使用resolve-library-id并传入"auth0"获取库ID
使用get-library-docs并传入主题"attack-protection"、"mfa"、"tokens"、"compliance"

Clerk:

使用resolve-library-id并传入"clerk"获取库ID
使用get-library-docs并传入主题"nextjs"、"react"、"authentication"

Firebase Auth:

使用resolve-library-id并传入"firebase"获取库ID
使用get-library-docs并传入主题"authentication"、"security-rules"

Works Well With

协同工具

moai-platform-supabase: Database with auth integration
moai-platform-vercel: Deployment with edge authentication
moai-lang-typescript: TypeScript patterns for auth SDKs
moai-domain-backend: Backend architecture with authentication
moai-domain-frontend: React/Next.js frontend integration
moai-expert-security: Security audit and threat modeling

Status: Active Version: 2.0.0 (Consolidated Platform Coverage) Last Updated: 2026-02-09 Platforms: Auth0, Clerk, Firebase Auth

moai-platform-supabase：带认证集成的数据库
moai-platform-vercel：带边缘认证的部署平台
moai-lang-typescript：适用于认证SDK的TypeScript模式
moai-domain-backend：带认证的后端架构
moai-domain-frontend：React/Next.js前端集成
moai-expert-security：安全审计与威胁建模

状态：活跃版本：2.0.0（整合平台覆盖）最后更新：2026-02-09 支持平台：Auth0、Clerk、Firebase Auth