InterviewStack.io LogoInterviewStack.io

Authentication and Authorization Questions

Cover core concepts and implementation trade offs for securing backend services. Candidates should demonstrate understanding of token based authentication and server side session strategies, how to securely issue and rotate credentials, techniques for revocation and refresh, secure storage of secrets, use of third party identity providers, common threat mitigations such as cross site request forgery protection and secure transmission practices, and design patterns for role based and attribute based access control. Interviewers will evaluate the candidate ability to reason about scalability and revocation trade offs and to design secure application programming interface permission checks.

EasyTechnical
84 practiced
Explain the differences between OAuth 2.0 and OpenID Connect (OIDC). In your answer describe which protocol is primarily for authorization vs authentication, typical flows (authorization code vs implicit vs client credentials), and when a team should implement OIDC instead of plain OAuth2.
HardTechnical
82 practiced
Given a token introspection endpoint experiencing 50k QPS, design a caching and verification strategy to scale. Describe edge/local caches, TTL selection, cache stampede protection, how to handle key rotation and revocation invalidation, and provide pseudocode that shows token check flow: cache lookup -> validation -> fallback to introspection.
EasyTechnical
64 practiced
For cloud-native production systems, describe secure options for storing secrets such as API keys, DB credentials, and private keys. Compare environment variables, secrets management services, and Hardware Security Modules (HSMs) in terms of access control, auditing, rotation, and developer ergonomics.
MediumTechnical
67 practiced
Describe a key rotation strategy for signing tokens: cover both symmetric HMAC keys and asymmetric RSA/EC keys. Explain how you would publish key metadata (kid), handle verification of tokens signed by older keys during rollover, and the operational steps to rotate keys safely with minimal downtime.
EasyTechnical
83 practiced
Explain why immediate revocation of stateless tokens such as JWTs is challenging. List at least three practical techniques to implement revocation for JWTs (for example token introspection, short TTLs, revocation lists) and discuss the trade-offs in latency, storage, and complexity for each technique.

Unlock Full Question Bank

Get access to hundreds of Authentication and Authorization interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.