Skip to content

Authentication & Authorization

Authentication and authorization ensure that only the right users can access your system and that they can only do what they are allowed to do. Authentication verifies who a user is (for example via a password, token, or OAuth provider), while authorization determines which resources and actions that user is permitted to access. A good implementation protects sensitive data, reduces security risks, and gives users a predictable experience across your application.

For this product, you describe how authentication and authorization are implemented in your project, which flows and roles exist, and how you keep credentials and tokens secure.

Authentication & Authorization

There are many ways to implement authentication and authorization in a back-end system:

  • Session-based authentication (cookies and server-side sessions)
  • Token-based authentication (for example JWT)
  • OAuth2 / OpenID Connect (login via external identity providers)
  • Role-based access control (RBAC) and/or attribute-based access control (ABAC)

In your project you choose an approach that fits the requirements and context (web app, API, mobile client, etc.) and document how login, logout, and permission checks work end-to-end.

Quality indicators

When assessing this product, the following quality indicators will be considered:

  • The authentication & authorization document is self-contained, starting with an introduction/context and then describing the chosen approach.
  • It clearly explains which authentication mechanism is used (sessions, tokens, OAuth2/OIDC, etc.) and why.
  • It describes how user identities are stored and managed (for example in a database, external identity provider).
  • It describes how authorization works (roles, permissions, rules) and where in the code checks are performed.
  • It includes sequence or flow diagrams, or textual flows, that show the login, logout, and token/permission validation steps.
  • It includes code or configuration examples (routes, middleware, guards, policies) that demonstrate how authentication and authorization are enforced.
  • It explains how sensitive data such as passwords, tokens, and secrets are protected (hashing, encryption, secure storage, environment variables).
  • It includes references to the code in GitLab where authentication and authorization are implemented.
  • It includes a list of sources used to design and implement authentication and authorization.

Template

To document authentication and authorization in your own project, you can use the following template:

# Authentication & Authorization

In this section, describe in a few sentences how authentication and authorization are used in your application and why this approach fits your project. This is the main text of your document.

## Context & Requirements

Here you describe the context of your application (web app, API, mobile, internal tool, etc.) and the security requirements:
- Which users or roles exist
- Which resources need protection
- What risks you want to mitigate (for example data leaks, account takeover)

## Authentication

Here you describe how authentication works:
- Which mechanism you use (sessions, tokens, OAuth2/OIDC, etc.)
- How users log in and log out
- How credentials are stored and verified
- How tokens or sessions are created, validated, refreshed, and revoked

Add code and/or configuration examples (for example middleware, routes, controllers) and references to the code in GitLab.

## Authorization

Here you describe how authorization works:
- Which roles, permissions, or rules exist
- How access control is enforced in the code (for example middleware, guards, policies)
- How you keep authorization logic maintainable and testable

Add examples of protected endpoints and explain which checks are performed and why.

## Security Considerations

Here you describe how you protect sensitive data and prevent common attacks:
- Password hashing and storage
- Protection of tokens and secrets
- Protection against session fixation, token theft, and similar issues

## Sources

List here the sources you used to design and implement authentication and authorization. Think of documentation, articles, videos, books, and so on.
Also include sources that helped you write the code.