Code Room
System designMedium
Question
Design an OAuth 2.0 / OIDC authorization server that lets thousands of third-party apps (web, mobile, SPA, server-to-server) request scoped access to your users' data. Requirements: users grant granular consent and can revoke an app's access anytime; tokens are scoped and short-lived; and you must safely support public clients (mobile/SPA) that can't keep a secret. Walk through the flows you'd support and why, how scopes and consent are stored and enforced, and how revocation works when a user removes an app.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.