Loading...
Loading...
Compare original and translation side by side
┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────┐
│ OAuth 2.1 MANDATORY REQUIREMENTS │
│ (RFC 9798 - 2025) │
├─────────────────────────────────────────────────────────────┤
│ │
│ ✅ REQUIRED (Breaking Changes from OAuth 2.0) │
│ ├─ PKCE (Proof Key for Code Exchange) MANDATORY │
│ │ └─ S256 method (SHA-256), minimum entropy 43 chars │
│ ├─ Exact redirect URI matching │
│ │ └─ No wildcard matching, no substring matching │
│ ├─ Authorization code flow ONLY for public clients │
│ │ └─ All other flows require confidential client │
│ └─ TLS 1.2+ required for all endpoints │
│ │
│ ❌ REMOVED (No Longer Supported) │
│ ├─ Implicit grant (security vulnerabilities) │
│ ├─ Resource Owner Password Credentials grant │
│ │ └─ Use OAuth 2.0 Device Flow (RFC 8628) instead │
│ └─ Bearer token in query parameters │
│ └─ Must use Authorization header or POST body │
│ │
└─────────────────────────────────────────────────────────────┘alg: nonealg: none{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "api.example.com",
"exp": 1234567890,
"iat": 1234567890,
"jti": "unique-token-id",
"scope": "read:profile write:data"
}Algorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250msAlgorithm: Argon2id
Memory cost (m): 64 MB (65536 KiB)
Time cost (t): 3 iterations
Parallelism (p): 4 threads
Salt length: 16 bytes (128 bits)
Target hash time: 150-250msreferences/password-hashing.mdreferences/password-hashing.mdreferences/passkeys-webauthn.mdreferences/passkeys-webauthn.md┌─────────────────────────────────────────────────────────────┐
│ Authorization Model Selection │
├─────────────────────────────────────────────────────────────┤
│ │
│ Simple Roles (<20 roles) │
│ └─ RBAC with Casbin (embedded, any language) │
│ Example: Admin, User, Guest │
│ │
│ Complex Attribute Rules │
│ └─ ABAC with OPA or Cerbos │
│ Example: "Allow if user.clearance >= doc.level │
│ AND user.dept == doc.dept" │
│ │
│ Relationship-Based (Multi-Tenant, Collaborative) │
│ └─ ReBAC with SpiceDB (Zanzibar model) │
│ Example: "Can edit if member of doc's workspace │
│ AND workspace.plan includes feature" │
│ Use cases: Notion-like, GitHub-like permissions │
│ │
│ Kubernetes / Infrastructure Policies │
│ └─ OPA (Gatekeeper for admission control) │
│ Example: Enforce pod security policies │
│ │
└─────────────────────────────────────────────────────────────┘references/authorization-patterns.md┌─────────────────────────────────────────────────────────────┐
│ 授权模型选择指南 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 简单角色(少于20个角色) │
│ └─ 搭配Casbin的RBAC模型(嵌入式,支持任意语言) │
│ 示例:管理员、普通用户、访客 │
│ │
│ 复杂属性规则 │
│ └─ 搭配OPA或Cerbos的ABAC模型 │
│ 示例:"当用户权限等级 >= 文档等级 且 │
│ 用户部门 == 文档所属部门时允许访问" │
│ │
│ 关系型授权(多租户、协作场景) │
│ └─ 搭配SpiceDB的ReBAC模型(Zanzibar模型) │
│ 示例:"若用户是文档工作区成员 且 │
│ 工作区套餐包含该功能,则允许编辑" │
│ 适用场景:类Notion、类GitHub的权限系统 │
│ │
│ Kubernetes / 基础设施策略 │
│ └─ OPA(Gatekeeper用于准入控制) │
│ 示例:强制执行Pod安全策略 │
│ │
└─────────────────────────────────────────────────────────────┘references/authorization-patterns.md| Use Case | Library | Context7 ID | Trust | Notes |
|---|---|---|---|---|
| Auth Framework | Auth.js v5 | | 87.4 | Multi-framework (Next, Svelte, Solid) |
| JWT | jose 5.x | - | - | EdDSA, ES256, RS256 support |
| Passkeys | @simplewebauthn/server 11.x | - | - | FIDO2 server |
| Validation | Zod 3.x | | 90.4 | Schema validation |
| Policy Engine | Casbin.js 1.x | - | - | RBAC/ABAC embedded |
| 使用场景 | 库 | Context7 ID | 可信度 | 说明 |
|---|---|---|---|---|
| 认证框架 | Auth.js v5 | | 87.4 | 多框架支持(Next、Svelte、Solid) |
| JWT处理 | jose 5.x | - | - | 支持EdDSA、ES256、RS256 |
| Passkeys实现 | @simplewebauthn/server 11.x | - | - | FIDO2服务端 |
| 验证 | Zod 3.x | | 90.4 | Schema验证 |
| 策略引擎 | Casbin.js 1.x | - | - | 嵌入式RBAC/ABAC支持 |
| Use Case | Library | Notes |
|---|---|---|
| Auth Framework | Authlib 1.3+ | OAuth/OIDC client + server |
| JWT | joserfc 1.x | Modern, maintained |
| Passkeys | py_webauthn 2.x | WebAuthn server |
| Password Hashing | argon2-cffi 24.x | OWASP parameters |
| Validation | Pydantic 2.x | FastAPI integration |
| Policy Engine | PyCasbin 1.x | RBAC/ABAC embedded |
| 使用场景 | 库 | 说明 |
|---|---|---|
| 认证框架 | Authlib 1.3+ | OAuth/OIDC客户端+服务端 |
| JWT处理 | joserfc 1.x | 现代化、维护活跃 |
| Passkeys实现 | py_webauthn 2.x | WebAuthn服务端 |
| 密码哈希 | argon2-cffi 24.x | 符合OWASP参数标准 |
| 验证 | Pydantic 2.x | 与FastAPI集成 |
| 策略引擎 | PyCasbin 1.x | 嵌入式RBAC/ABAC支持 |
| Use Case | Library | Notes |
|---|---|---|
| JWT | jsonwebtoken 10.x | EdDSA, ES256, RS256 |
| OAuth Client | oauth2 5.x | OAuth 2.1 flows |
| Passkeys | webauthn-rs 0.5.x | WebAuthn + attestation |
| Password Hashing | argon2 0.5.x | Native Argon2id |
| Policy Engine | Casbin-RS 2.x | RBAC/ABAC embedded |
| 使用场景 | 库 | 说明 |
|---|---|---|
| JWT处理 | jsonwebtoken 10.x | 支持EdDSA、ES256、RS256 |
| OAuth客户端 | oauth2 5.x | 支持OAuth 2.1流程 |
| Passkeys实现 | webauthn-rs 0.5.x | WebAuthn + 认证声明 |
| 密码哈希 | argon2 0.5.x | 原生Argon2id实现 |
| 策略引擎 | Casbin-RS 2.x | 嵌入式RBAC/ABAC支持 |
| Use Case | Library | Notes |
|---|---|---|
| JWT | golang-jwt v5 | Community-maintained |
| OAuth Client | go-oidc v3 | OIDC client only |
| Passkeys | go-webauthn 0.11.x | Duo-maintained |
| Password Hashing | golang.org/x/crypto/argon2 | Standard library |
| Policy Engine | Casbin v2 | Original implementation |
| 使用场景 | 库 | 说明 |
|---|---|---|
| JWT处理 | golang-jwt v5 | 社区维护 |
| OAuth客户端 | go-oidc v3 | 仅OIDC客户端 |
| Passkeys实现 | go-webauthn 0.11.x | 由Duo维护 |
| 密码哈希 | golang.org/x/crypto/argon2 | 标准库实现 |
| 策略引擎 | Casbin v2 | 原始实现 |
| Service | Best For | Key Features |
|---|---|---|
| Clerk | Rapid development, startups | Prebuilt UI, Next.js SDK |
| Auth0 | Enterprise, established | 25+ social providers, SSO |
| WorkOS AuthKit | B2B SaaS, enterprise SSO | SAML/SCIM, admin portal |
| Supabase Auth | Postgres users | Built on Postgres, RLS |
references/managed-auth-comparison.md| 服务 | 最佳适用场景 | 核心特性 |
|---|---|---|
| Clerk | 快速开发、初创公司 | 预构建UI、Next.js SDK |
| Auth0 | 企业级、成熟项目 | 25+社交登录提供商、SSO |
| WorkOS AuthKit | B2B SaaS、企业级SSO | SAML/SCIM支持、管理门户 |
| Supabase Auth | Postgres用户 | 基于Postgres构建、RLS支持 |
references/managed-auth-comparison.md| Solution | Language | Use Case |
|---|---|---|
| Keycloak | Java | Enterprise, on-prem |
| Ory | Go | Cloud-native, microservices |
| Authentik | Python | Modern, developer-friendly |
references/self-hosted-auth.md| 方案 | 开发语言 | 适用场景 |
|---|---|---|
| Keycloak | Java | 企业级、本地部署 |
| Ory | Go | 云原生、微服务 |
| Authentik | Python | 现代化、开发者友好 |
references/self-hosted-auth.md// Tiered rate limiting (per IP + per user)
const rateLimits = {
anonymous: '10 requests/minute',
authenticated: '100 requests/minute',
premium: '1000 requests/minute',
}// 分层速率限制(按IP + 按用户)
const rateLimits = {
anonymous: '10 requests/minute',
authenticated: '100 requests/minute',
premium: '1000 requests/minute',
}// Restrictive CORS (production)
const corsOptions = {
origin: ['https://app.example.com'],
credentials: true,
maxAge: 86400, // 24 hours
allowedHeaders: ['Content-Type', 'Authorization'],
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
}
// NEVER use origin: '*' with credentials: true// 生产环境严格CORS配置
const corsOptions = {
origin: ['https://app.example.com'],
credentials: true,
maxAge: 86400, // 24小时
allowedHeaders: ['Content-Type', 'Authorization'],
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
}
// 绝对禁止在credentials: true时设置origin: '*'const securityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Content-Security-Policy': "default-src 'self'; script-src 'self'",
}references/api-security.mdconst securityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Content-Security-Policy': "default-src 'self'; script-src 'self'",
}references/api-security.md// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token, req }) => {
if (req.nextUrl.pathname.startsWith('/dashboard')) {
return !!token
}
if (req.nextUrl.pathname.startsWith('/admin')) {
return token?.role === 'admin'
}
return true
},
},
})
export const config = {
matcher: ['/dashboard/:path*', '/admin/:path*'],
}// middleware.ts
import { withAuth } from 'next-auth/middleware'
export default withAuth({
callbacks: {
authorized: ({ token, req }) => {
if (req.nextUrl.pathname.startsWith('/dashboard')) {
return !!token
}
if (req.nextUrl.pathname.startsWith('/admin')) {
return token?.role === 'admin'
}
return true
},
},
})
export const config = {
matcher: ['/dashboard/:path*', '/admin/:path*'],
}import { useSession } from 'next-auth/react'
export function AdminPanel() {
const { data: session } = useSession()
if (session?.user?.role !== 'admin') {
return null
}
return <div>Admin Controls</div>
}import { useSession } from 'next-auth/react'
export function AdminPanel() {
const { data: session } = useSession()
if (session?.user?.role !== 'admin') {
return null
}
return <div>管理员控制台</div>
}references/oauth21-guide.mdreferences/oauth21-guide.mdscripts/generate_jwt_keys.pyreferences/jwt-best-practices.mdscripts/generate_jwt_keys.pyreferences/jwt-best-practices.mdexamples/passkeys-demo/examples/passkeys-demo/references/authorization-patterns.mdreferences/authorization-patterns.mdpython scripts/generate_jwt_keys.py --algorithm EdDSApython scripts/generate_jwt_keys.py --algorithm EdDSApython scripts/validate_oauth_config.py --config oauth.jsonpython scripts/validate_oauth_config.py --config oauth.jsonexamples/authjs-nextjs/examples/authjs-nextjs/examples/keycloak-fastapi/examples/keycloak-fastapi/examples/passkeys-demo/examples/passkeys-demo/references/oauth21-guide.mdreferences/jwt-best-practices.mdreferences/passkeys-webauthn.mdreferences/authorization-patterns.mdreferences/password-hashing.mdreferences/oauth21-guide.mdreferences/jwt-best-practices.mdreferences/passkeys-webauthn.mdreferences/authorization-patterns.mdreferences/password-hashing.md