InterviewStack.io LogoInterviewStack.io

Authorization and Identity Systems Questions

Design, implementation, and operation of identity and authorization systems that control who can access which resources and actions across products and services. Areas include customer identity management and identity lifecycle, authentication and token management using JSON Web Tokens and OAuth flows, session and token refresh and revocation strategies, API key lifecycle and rotation, role based access control and attribute based access control models, policy evaluation engines and permissions data modeling, placement of enforcement points across gateway, service, and data layers, caching of authorization decisions and cache invalidation strategies, preventing privilege escalation and secure default permissions, threat modeling and secure storage of secrets, logging and auditing for compliance, rate limiting tied to identity, testing strategies for authorization, and operational practices such as monitoring, alerting, capacity planning, graceful degradation, incident response, and recovery for authorization services. Candidates without direct IAM experience should explain how core backend system skills translate to this domain.

MediumSystem Design
67 practiced
Design an audit logging pipeline for authentication and authorization events: define a structured log format, secure transport from apps to collectors, storage/indexing strategy for fast queries, tamper-evidence or immutability considerations, alerting, and cost-effective retention that meets compliance and forensic needs.
HardSystem Design
62 practiced
Design an authorization service for a globally distributed microservices architecture which must handle hundreds of thousands of requests per second with low latency. Include decisions on token format (JWT vs reference tokens), enforcement placement (gateway, sidecar, in-service), replication and key management across regions, permission change propagation, and failover strategies that preserve availability and security.
HardTechnical
82 practiced
Perform a detailed threat model for your authorization layer using STRIDE: identify threats such as token theft, replay, impersonation, privilege escalation, CSRF, SSRF, insider misuse; map attack paths and trust boundaries; assign risk levels and propose mitigations. For each mitigation propose measurable KPIs and alerting thresholds to detect exploitation.
MediumTechnical
64 practiced
Design a testing strategy to ensure authorization correctness in CI/CD: include unit tests for policy logic, integration tests that simulate roles and permissions, contract tests between services, end-to-end UI tests that assert both allow and deny cases, and negative tests that prove certain users cannot perform actions. Explain how to maintain test suites when policies evolve.
MediumTechnical
64 practiced
You must implement multi-tenant RBAC where each tenant has its own roles and tenant-specific admins, while platform staff have global admin roles. Design the permission model and database layout that supports tenant isolation, role inheritance, and cross-tenant support for platform operators. Explain how to enforce checks at runtime and how to migrate existing single-tenant roles.

Unlock Full Question Bank

Get access to hundreds of Authorization and Identity Systems interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.