System Design Problem

Design an Authentication and Authorization System (OAuth 2.0/SSO)

Commonly Asked By:OktaMicrosoftGoogleAuth0

  • User registration/login: Email+password, social login (Google, GitHub, Apple)
  • OAuth 2.0 provider: Issue access/refresh tokens; support authorization code, PKCE, client credentials flows
  • Single Sign-On (SSO): Login once, access multiple applications (SAML 2.0 and OIDC)
  • Multi-Factor Authentication (MFA): TOTP, SMS OTP, WebAuthn/passkeys
  • Role-Based Access Control (RBAC): Users have roles; roles have permissions
  • API key management: Issue, rotate, revoke API keys for machine-to-machine auth
  • Session management: Active session list, revoke sessions, device tracking
  • Password policies: Minimum strength, breach detection, forced rotation
Loading...