OAuth2 / SSO Identity Provider

Interview-Ready Approach

1) Clarify Scope and SLOs

• •Problem statement: Design an OAuth2 identity provider with SSO, MFA, social login, session management, and RBAC for 1 M users.
• •Design for a peak load target around 100 RPS (including burst headroom).
• •Total users: ~1,000,000
• •Connected applications: ~200
• •Peak logins/hour: ~50,000
• •Token issuance latency: < 200 ms
• •Token validation latency: < 10 ms (stateless JWT)

2) Capacity Planning Method

• •Convert traffic and growth constraints into request rate, storage growth, and concurrency budgets.
• •Keep at least 2-3x safety margin per tier (ingress, compute, storage, async workers).
• •Reserve explicit latency budgets per hop so p95 can be defended in review.

3) Architecture Decisions

• •Auth: Centralize identity verification and keep authorization checks close to domain resources.
• •Databases: Define a clear system-of-record and design read/write paths separately before adding optimizations.
• •API Design: Standardize API boundaries, idempotency keys, pagination, and error contracts first.
• •Caching: Put cache on hot read paths first and pick cache-aside or write-through explicitly.

4) Reliability and Failure Strategy

• •Use short-lived tokens and secure key rotation workflows.
• •Use strong write constraints (transactions or conditional writes) and explicit backup/restore strategy.
• •Apply strict input validation and backward-compatible versioning.
• •Bound staleness with TTL + invalidation hooks for critical entities.

5) Validation Plan

• •Run one peak-load test, one dependency-degradation test, and one failover test.
• •Verify idempotency for all retried writes and async consumers.
• •Track user-facing SLOs first: p95 latency, error rate, and successful throughput.

6) Trade-offs to Call Out in Interviews

• •Auth: Central auth simplifies policy, but makes auth service availability/security critical.
• •Databases: SQL gives stronger transactional guarantees; NoSQL often gives better write scaling and flexibility.
• •API Design: Rich APIs improve developer speed but can create long-term compatibility burden.
• •Caching: Higher hit rate cuts latency/cost, but stale data and invalidation bugs become primary risks.

Practical Notes

• •JWTs are stateless - verification requires no database call (just public key validation). But revocation needs a blocklist (short-lived tokens + refresh tokens reduce this need).
• •Store refresh tokens in the database with a family chain. On reuse detection (token rotation), invalidate the entire family (detect token theft).
• •MFA TOTP: the shared secret is stored server-side (encrypted at rest). Verify the 6-digit code against the current time window ±1.