InterviewStack.io LogoInterviewStack.io

Authentication and Access Control Questions

Comprehensive coverage of methods, protocols, design principles, and practical mechanisms for proving identity and enforcing permissions across systems. Authentication topics include credential based methods such as passwords and secure password storage, Multi Factor Authentication, one time passwords, certificate based and passwordless authentication, biometric options, federated identity and single sign on using Open Authorization, OpenID Connect and Security Assertion Markup Language, and service identity approaches such as Kerberos and mutual Transport Layer Security. Covers token based and session based patterns including JSON Web Token and session cookies, secure cookie practices, token lifecycle and refresh strategies, token revocation approaches, refresh token design, and secure storage and transport of credentials and tokens. Authorization and access control topics include role based access control, attribute based access control, discretionary and mandatory access control, access control lists and policy based access control, Open Authorization scopes and permission modeling, privilege management and the principle of least privilege, and defenses against privilege escalation and broken access control. The description also addresses cryptographic foundations that underlie identity systems including symmetric and asymmetric cryptography, public key infrastructure and certificate lifecycle management, secure key management and rotation, and encryption in transit and at rest. Common threats and mitigations are covered, such as credential stuffing, brute force attacks, replay attacks, session fixation, cross site request forgery, broken authentication logic, rate limiting, account lockout strategies, secrets management, secure transport, and careful authorization checks. Candidates should be able to design authentication and authorization flows for both user and service identities, evaluate protocol and implementation trade offs, specify secure lifecycle and storage strategies for credentials and tokens, and propose mitigations for common failures and attacks.

MediumTechnical
90 practiced
Explain the differences between an OpenID Connect ID token and an OAuth access token. Describe what each token should contain, who is supposed to consume each one, and common developer mistakes such as using ID tokens as bearer tokens for APIs.
HardTechnical
51 practiced
Design an approach to map OAuth scopes to application-level fine-grained permissions for APIs. Support hierarchical permissions, resource-level checks (including field-level authorization), policy caching for performance, and explain how to ensure permission updates take effect promptly for existing tokens while maintaining high throughput for API endpoints.
MediumTechnical
47 practiced
Stateless JWTs are used as access tokens in your API. Describe three practical strategies to support token revocation (for example after logout or credential compromise): short-lived access tokens, server-side denylist/blacklist checks, and token versioning or revocation fields in user data. For each approach, analyze pros/cons, operational costs, and expected latency impact on each API request.
EasyTechnical
45 practiced
Describe secure password storage best practices for a web application. Include recommended hashing algorithms (bcrypt, Argon2), the role of salts and optional peppers, how to choose cost/iteration parameters, and considerations and steps for migrating from an insecure hashing scheme (for example migrating from plain SHA1 to Argon2) without forcing all users to reset passwords immediately.
EasyTechnical
49 practiced
Compare access tokens and refresh tokens in terms of their intended purpose, recommended lifetimes, where they should be stored in a web architecture that includes a browser-based SPA and a backend API, and the primary threat models for each token type.

Unlock Full Question Bank

Get access to hundreds of Authentication and Access Control interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.