Authorization and Identity Systems Questions

Design, implementation, and operation of identity and authorization systems that control who can access which resources and actions across products and services. Areas include customer identity management and identity lifecycle, authentication and token management using JSON Web Tokens and OAuth flows, session and token refresh and revocation strategies, API key lifecycle and rotation, role based access control and attribute based access control models, policy evaluation engines and permissions data modeling, placement of enforcement points across gateway, service, and data layers, caching of authorization decisions and cache invalidation strategies, preventing privilege escalation and secure default permissions, threat modeling and secure storage of secrets, logging and auditing for compliance, rate limiting tied to identity, testing strategies for authorization, and operational practices such as monitoring, alerting, capacity planning, graceful degradation, incident response, and recovery for authorization services. Candidates without direct IAM experience should explain how core backend system skills translate to this domain.

EasyTechnical

78 practiced

Explain the OAuth 2.0 flows: authorization code, implicit, client credentials, and refresh token. For each flow describe typical use-cases (SPA, server-side web app, machine-to-machine), security characteristics, and why PKCE is recommended for public clients. Give a short example of which flow you'd pick for an SPA that also needs offline access.

HardTechnical

126 practiced

You must provide near-instant revocation for millions of active JWTs without checking a central DB for every request. Propose a revocation architecture that minimizes runtime impact yet ensures compromised tokens are rejected quickly. Discuss token design (jti, iat, versions), data structures (blacklists, bloom filters), memory costs, false-positive/negative trade-offs, and operational complexity.

HardTechnical

81 practiced

Design an automated performance experiment harness that simulates production authorization load for capacity planning and regression detection. The harness should generate realistic request patterns, synthetic users and permission changes, simulate policy churn, measure end-to-end authorization latencies, and provide results feeding autoscaling and SLO decisions. Explain data generation, orchestration, and result analysis.

MediumTechnical

64 practiced

You must implement multi-tenant RBAC where each tenant has its own roles and tenant-specific admins, while platform staff have global admin roles. Design the permission model and database layout that supports tenant isolation, role inheritance, and cross-tenant support for platform operators. Explain how to enforce checks at runtime and how to migrate existing single-tenant roles.

EasyTechnical

68 practiced

In a high-traffic web application, compare cookie-based server-side sessions and stateless JWT-based authentication. Discuss pros and cons in terms of scalability, revocation, cross-service authentication, storage requirements, and developer complexity. Provide scenarios where each approach is preferable.

Unlock Full Question Bank

Get access to hundreds of Authorization and Identity Systems interview questions and detailed answers.

Join thousands of developers preparing for their dream job.