{"id":13517073,"url":"https://github.com/gitcommitshow/awesome-authentication","last_synced_at":"2026-02-04T13:35:14.824Z","repository":{"id":129284743,"uuid":"282867988","full_name":"gitcommitshow/awesome-authentication","owner":"gitcommitshow","description":"Resources to learn and implement authentication in your application","archived":false,"fork":false,"pushed_at":"2020-08-10T07:49:56.000Z","size":43,"stargazers_count":130,"open_issues_count":0,"forks_count":8,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-07-02T03:52:21.810Z","etag":null,"topics":["authentication","authentication-backend","authentication-strategy","digital-signature","jwt","learning","oauth2","resources","rfc-7519"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gitcommitshow.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-27T10:46:42.000Z","updated_at":"2025-06-06T23:39:59.000Z","dependencies_parsed_at":"2023-05-18T01:30:38.366Z","dependency_job_id":null,"html_url":"https://github.com/gitcommitshow/awesome-authentication","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gitcommitshow/awesome-authentication","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fawesome-authentication","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fawesome-authentication/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fawesome-authentication/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fawesome-authentication/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gitcommitshow","download_url":"https://codeload.github.com/gitcommitshow/awesome-authentication/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gitcommitshow%2Fawesome-authentication/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264537298,"owners_count":23624418,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authentication-backend","authentication-strategy","digital-signature","jwt","learning","oauth2","resources","rfc-7519"],"created_at":"2024-08-01T05:01:29.356Z","updated_at":"2026-02-04T13:35:14.751Z","avatar_url":"https://github.com/gitcommitshow.png","language":null,"readme":"![Banner](./banner_awesome_authentication.png)\n\nThis is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)\n\n## Fundamentals You Must Know\n\n### Cryptography\n\n* [Assymetric Cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)\n* [Digital Signatures : Verifying authenticity of message](https://en.wikipedia.org/wiki/Digital_signature)\n* [Forward Secrecy :  A way to protect against future compromises of private key](https://en.wikipedia.org/wiki/Forward_secrecy)\n* [Encryption vs Signing](https://stackoverflow.com/questions/454048/what-is-the-difference-between-encrypting-and-signing-in-asymmetric-encryption)\n* [Encryption vs Encoding](https://stackoverflow.com/questions/4657416/difference-between-encoding-and-encryption)\n* [Hashing vs Encoding cs Encryption vs Obfuscation](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/)\n\n### About Tokens\n\n* [JWT](https://tools.ietf.org/html/rfc7519)\n* [JWT vs Opaque tokens](https://medium.com/hackernoon/all-you-need-to-know-about-user-session-security-ee5245e6bdad)\n\n### About Frameworks\n\n* [**OAuth2.0** - authorization framework to enable third-party application obtain limited access to HTTP service](https://tools.ietf.org/html/rfc6749#section-4.1.3)\n* [**OpenIDConnect** - authentication on top of OAuth2.0](https://openid.net/specs/openid-connect-core-1_0.html)\n\n### Web-Security Recommendations\n\n* [Authentication cheatsheet by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)\n* [PKCE - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)\n* [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://tools.ietf.org/html/rfc6750)\n\n### Secure Key Exchange In Public\n\n* [Diffie Hellman Key Exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)\n* [An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.](https://security.stackexchange.com/a/73132/229503)\n* [Diffie-Hellman key exchange implementation in node.js](https://medium.com/@moghiny/diffie-hellman-key-exchange-theory-and-practice-with-node-js-ab2575e14e8)\n\n### Maintaining Forward Secrecy\n\n* [Double Rachet Algo](https://signal.org/docs/specifications/doubleratchet/)\n* [Signal protocol specs](https://signal.org/docs/) \u0026 [implemtation lib in js](https://github.com/signalapp/libsignal-protocol-javascript)\n\n### Invalidating JWT\n\n* [Strategies to invalidate jwt - SO Q\u0026A](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens)\n\n\u003e * Simply remove the token from the client\n\u003e * Create a token blacklist\n\u003e * Just keep token expiry times short and rotate them often\n\u003e * Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials\n\n\u003e A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.\n\n* [Discussion: Is refreshing an expired JWT token a good strategy?](https://security.stackexchange.com/questions/119371/is-refreshing-an-expired-jwt-token-a-good-strategy)\n\n## Securtity Risks and Criticism of JWT\n\n* [JWT attack - signature as MAC](https://snikt.net/blog/2019/05/16/jwt-signature-vs-mac-attacks/)\n* [Recreating JWT validation bypass](https://insomniasec.com/cdn-assets/Insomnia_Security_-_JWT_Validation_Bypass_in_Auth0_Authentication_API.pdf)\n* [3 JWT design flaws](https://rodarmer.squarespace.com/security-blog/2019/7/21/jwt-security-vulnerabilities)\n- [Stop using JWT for sessions](http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/) and [part 2: Why your solution doesn't work](http://cryto.net/%7Ejoepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/)\n- [Why JWTs Suck as Session Tokens](https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens)\n- [No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid](https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid) (including JWT, JWE and JWS)\n- https://github.com/shieldfy/API-Security-Checklist/issues/6 with more resources\n- [Things to Use Instead of JWT](https://kevin.burke.dev/kevin/things-to-use-instead-of-jwt/)\n- [Branca as an Alternative to JWT?](https://appelsiini.net/2017/branca-alternative-to-jwt/)\n- [Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)](https://paragonie.com/blog/2018/03/paseto-platform-agnostic-security-tokens-is-secure-alternative-jose-standards-jwt-etc)\n\n## Implementations(Examples/Demos)\n\n* [Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens](https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken)\n* [JWT Authentication \u0026 Authorization in NodeJs/Express \u0026 MongoDB REST APIs(2019)](https://medium.com/swlh/jwt-authentication-authorization-in-nodejs-express-mongodb-rest-apis-2019-ad14ec818122)\n* [JWT+Passport](https://medium.com/front-end-weekly/learn-using-jwt-with-passport-authentication-9761539c4314)\n* [JWT+Passport : Code](https://gist.github.com/ArVan/a8eb2bff9e453a1850d17dd3af1d0bea#file-app-js)\n* [JWT+Passport : Guide on DO](https://www.digitalocean.com/community/tutorials/api-authentication-with-json-web-tokensjwt-and-passport)\n* [Passport-jwt](https://github.com/mikenicholson/passport-jwt)\n* [Refreshing token using node-jsonwebtoken](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48)\n* [oAuth2 server with node.js](https://blog.cloudboost.io/how-to-make-an-oauth-2-server-with-node-js-a6db02dc2ce7)\n* [oAuth libraries for node.js](https://oauth.net/code/nodejs/)\n* **[Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server](https://github.com/mozilla/fxa) [Documentation](https://mozilla.github.io/application-services/docs/accounts/welcome.html)**\n* **[oAuth2 server toolkit for node.js](https://github.com/jaredhanson/oauth2orize)**\n* [OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages](https://github.com/ory/hydra)\n* **[JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers](https://github.com/openid/AppAuth-JS)**\n* [AuthZ lib supports ACL, RBAC, ABAC in Node.js](https://github.com/casbin/node-casbin)\n* [Google OpenIDConnect authentication](https://developers.google.com/identity/protocols/oauth2/openid-connect)\n\n## Useful Tools\n\n* [Encode or Decode JWTs](https://www.jsonwebtoken.io/)\n* [Learn JWT by reverse engineering](https://github.com/gitcommitshow/auth-jwt)\n","funding_links":[],"categories":["Technical","Others","Other Lists"],"sub_categories":["awesome-*","TeX Lists"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitcommitshow%2Fawesome-authentication","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgitcommitshow%2Fawesome-authentication","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgitcommitshow%2Fawesome-authentication/lists"}