Design, implementation, and operation of identity and authorization systems that control who can access which resources and actions across products and services. Areas include customer identity management and identity lifecycle, authentication and token management using JSON Web Tokens and OAuth flows, session and token refresh and revocation strategies, API key lifecycle and rotation, role based access control and attribute based access control models, policy evaluation engines and permissions data modeling, placement of enforcement points across gateway, service, and data layers, caching of authorization decisions and cache invalidation strategies, preventing privilege escalation and secure default permissions, threat modeling and secure storage of secrets, logging and auditing for compliance, rate limiting tied to identity, testing strategies for authorization, and operational practices such as monitoring, alerting, capacity planning, graceful degradation, incident response, and recovery for authorization services. Candidates without direct IAM experience should explain how core backend system skills translate to this domain.
EasyTechnical
69 practiced
In a single-page application (SPA) that talks to a JSON API backend, discuss the trade-offs between storing JWTs in localStorage, sessionStorage, or httpOnly secure cookies. For each option mention security risks (XSS, CSRF), developer ergonomics, and recommended mitigations. State a recommended approach for modern SPAs and why.
HardTechnical
126 practiced
You must provide near-instant revocation for millions of active JWTs without checking a central DB for every request. Propose a revocation architecture that minimizes runtime impact yet ensures compromised tokens are rejected quickly. Discuss token design (jti, iat, versions), data structures (blacklists, bloom filters), memory costs, false-positive/negative trade-offs, and operational complexity.
MediumSystem Design
60 practiced
Design an OAuth/OpenID Connect based single sign-on (SSO) solution for a suite of web applications and backend APIs: define components (identity provider, authorization server, user store), describe token flows for SPAs and server-side apps, session handling across multiple apps, logout across sessions, refresh token usage, and security controls for both internal and third-party clients.
EasyTechnical
84 practiced
Design a relational database schema that supports role-based access control with role hierarchies and assignable permissions. Provide table names and key fields (for example users, roles, permissions, role_permissions, user_roles, role_inheritance) and explain how you would query effective permissions for a user while minimizing runtime joins.
HardSystem Design
77 practiced
Evaluate enforcement placement options for authorization decisions: API gateway, sidecar, in-service, and database-level enforcement. For each option analyze trade-offs in latency, available context for decisions, security surface, operational complexity, and scalability. Propose a hybrid architecture and describe fallback behavior for partial failures of enforcement components.
Unlock Full Question Bank
Get access to hundreds of Authorization and Identity Systems interview questions and detailed answers.
