Question 1

Why are access tokens short-lived while refresh tokens are long-lived?

Accepted Answer

Access tokens are used on every API request -- they travel over the network frequently and can be intercepted or stolen. If an access token is stolen: the attacker can impersonate the user. Short lifetime (15 minutes) limits the damage window -- the stolen token becomes useless in 15 minutes without the refresh token. Refresh tokens are used less frequently (only to get a new access token) and are stored more securely (HttpOnly cookie). If a refresh token is stolen: the attacker can get new access tokens until the refresh token is revoked. This is why revoking refresh tokens (on logout, on suspicious activity, on password change) immediately terminates all active sessions. The combination provides a good security/usability balance: users are not frequently re-authenticated (long refresh token), but exposure from any single stolen access token is limited (short access token lifetime). Alternative: stateful sessions (server stores session state) -- easier to revoke, but requires a database lookup on every request. JWT access tokens require no server-side lookup -- better for high-throughput APIs.

Question 2

What is PKCE and why is it required for public OAuth clients?

Accepted Answer

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks in OAuth. The problem: in native apps (mobile, desktop), the redirect URI cannot be a secret (the app binary is publicly inspectable). An attacker app could register the same redirect URI and intercept the authorization code. PKCE solution: before the OAuth flow, the client generates a random code_verifier (43-128 chars). It computes code_challenge = base64url(SHA256(code_verifier)). The auth request includes code_challenge. The token exchange includes the original code_verifier. The authorization server verifies SHA256(code_verifier) == stored code_challenge. An intercepted authorization code is useless without the code_verifier (which was never sent to the redirect URI -- only the challenge was). PKCE is now required for all public OAuth clients (RFC 9700, OAuth 2.1) and recommended for confidential clients too. In the SPA (single-page app) context: PKCE prevents auth code interception by injected browser extensions or other tabs.

Question 3

How do you implement SSO (Single Sign-On) across multiple applications?

Accepted Answer

SSO allows a user to log in once and access multiple applications without re-authenticating. Protocols: SAML 2.0 (enterprise, XML-based), OpenID Connect / OAuth 2.0 (modern, JSON/JWT). OIDC SSO flow: (1) User tries to access App A. App A redirects to the Identity Provider (IdP). (2) User authenticates with the IdP (if not already logged in). IdP issues an authorization code and redirects to App A. (3) App A exchanges the code for an ID token and access token. (4) User navigates to App B. App B redirects to the IdP. IdP checks the existing session (SSO session cookie). Without requiring re-authentication: IdP immediately issues tokens for App B. SSO session: the IdP maintains an SSO session (server-side, not just a JWT). The SSO session has a separate lifetime (8 hours for a workday). Applications have their own shorter session lifetimes. Session logout: single logout (SLO) propagates logout to all applications the user accessed via SSO. Complex to implement -- most systems just expire all active tokens.

Question 4

How do you prevent credential stuffing attacks?

Accepted Answer

Credential stuffing: attackers use leaked username/password databases (from other breaches) to try logging in. Because many users reuse passwords across sites, this succeeds at scale. Defenses: (1) Rate limiting: limit failed login attempts per IP (max 5 per minute), per account (max 10 per hour). Exponential backoff for repeated failures. (2) CAPTCHA: trigger after 3 failed attempts from the same IP or account. (3) IP reputation: block known malicious IPs (threat intelligence feeds). Use a WAF or service like Cloudflare Bot Management. (4) Device fingerprinting: new device for an account = send email verification before access. (5) Compromised password detection: check submitted passwords against HaveIBeenPwned's k-anonymity API (send SHA1 hash prefix, not full hash). If the password appears in breach databases: require the user to change it. (6) Anomaly detection: ML model flags login attempts with unusual velocity, geographic anomalies, or behavioral patterns inconsistent with the account's history. Alert the user and require MFA.

Question 5

What is the difference between authentication and authorization?

Accepted Answer

Authentication (AuthN): verifying identity -- "who are you?" Requires presenting credentials (password, biometric, certificate) and having them verified against a stored secret. Outputs a verified identity claim (user_id, email). Examples: login with password, OAuth login with Google, mTLS certificate validation. Authentication says nothing about what the authenticated entity is allowed to do. Authorization (AuthZ): determining permissions -- "what are you allowed to do?" Takes an authenticated identity and checks it against a policy (RBAC roles, ACLs, ABAC policies) for a specific action on a specific resource. Examples: can user 123 delete post 456? Can service A call endpoint /admin/metrics? Authorization is checked on every protected operation, not just at login. Order: always authenticate before authorizing. Without authentication, you don't have a trustworthy identity to authorize. Common confusion in code: checking if a request has a valid JWT (authentication) is not the same as checking if the JWT's subject has permission to perform the requested action (authorization). Both checks are needed.

System Design: Identity and Access Management — Authentication, Authorization, and Token Lifecycle

Core Responsibilities

Authentication Flow (JWT + Refresh Tokens)

Authorization: RBAC and ABAC

Multi-Factor Authentication

Token Storage and Security