Code Room
System designMediumsd-g228
Subject Oauth oidcLevel Mid–Senior~40 minCommon in Security interviewsIndustries Technology, Software development

Question

Design an OAuth 2.0 / OIDC authorization server that lets thousands of third-party apps (web, mobile, SPA, server-to-server) request scoped access to your users' data. Requirements: users grant granular consent and can revoke an app's access anytime; tokens are scoped and short-lived; and you must safely support public clients (mobile/SPA) that can't keep a secret. Walk through the flows you'd support and why, how scopes and consent are stored and enforced, and how revocation works when a user removes an app.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.