Top 35 OAuth & Authentication Interview Questions 2025

OAuth 2.0: authorization framework for delegated access. Flows: Authorization Code (web apps, most secure), PKCE (mobile/SPA, prevents code interception), Client Credentials (machine-to-machine), Implicit (deprecated, less secure). Roles: Resource Owner, Client, Authorization Server, Resource Server. OAuth provides authorization, not authentication (use OIDC for that).

PKCE (Proof Key for Code Exchange): extension to Authorization Code flow for public clients (mobile, SPA). Prevents authorization code interception attacks. Process: client generates code_verifier, sends code_challenge (hash), exchanges code with original verifier. Server validates by hashing verifier. Required for mobile apps, recommended for all public clients.

OAuth 2.0: authorization (what can you access). OpenID Connect (OIDC): authentication layer on OAuth (who are you). OIDC adds: ID token (JWT with user info), UserInfo endpoint, standardized scopes (openid, profile, email). Use OIDC for login/SSO. OIDC providers: Google, Microsoft, Okta. OAuth alone doesn't verify user identity.

JWT: Header (algorithm, type), Payload (claims), Signature. Base64URL encoded, dot-separated. Security: use strong algorithms (RS256 over HS256 for distributed systems), validate signature, check expiration (exp), verify issuer (iss) and audience (aud), don't store sensitive data in payload (visible). Use short expiration with refresh tokens.

Best practices: (1) Use secure, httpOnly, sameSite cookies for session IDs, (2) Regenerate session ID on auth state change, (3) Set appropriate expiration, (4) Implement idle timeout, (5) Secure logout (invalidate server-side), (6) Use HTTPS only, (7) Consider token-based for APIs (JWT), session for web. Store sessions server-side (Redis) for scalability.