All Challenges
MediumIntermediate

OAuth2 / SSO Identity Provider

AuthDatabasesAPI DesignCaching
Solve in Design Lab →

Problem Statement

AuthVault is building a centralized identity provider (like Auth0 / Okta) that multiple applications use for authentication and authorization. Features:

- OAuth2 / OIDC - implement authorization code flow, client credentials flow, and PKCE. Issue JWTs with configurable claims and expiration.Single Sign-On (SSO) - users log in once and access all connected applications without re-authenticating. Support SAML 2.0 for enterprise integrations.Multi-Factor Authentication (MFA) - TOTP (authenticator app), SMS codes, and WebAuthn/passkeys as second factors.Social login - "Sign in with Google / GitHub / Apple" via OAuth2 federation.Session management - track active sessions across devices. Users can view and revoke individual sessions.Role-Based Access Control (RBAC) - define roles and permissions per application. Embed roles in JWT claims.Brute-force protection - lock accounts after 5 failed login attempts. CAPTCHA challenge after 3 failures.

Targeting 1 million users across 200 connected applications with 50,000 logins per hour at peak.

What You'll Learn

Design an OAuth2 identity provider with SSO, MFA, social login, session management, and RBAC for 1 M users. Build this architecture under realistic production constraints, then validate tradeoffs in the design lab simulation.

AuthDatabasesAPI DesignCaching

Constraints

Total users~1,000,000
Connected applications~200
Peak logins/hour~50,000
Token issuance latency< 200 ms
Token validation latency< 10 ms (stateless JWT)
MFA verification time< 1 second
Availability target99.99%
ApproachClick to expand

Interview-Ready Approach

1) Clarify Scope and SLOs

  • Problem statement: Design an OAuth2 identity provider with SSO, MFA, social login, session management, and RBAC for 1 M users.
  • Design for a peak load target around 100 RPS (including burst headroom).
  • Total users: ~1,000,000
  • Connected applications: ~200
  • Peak logins/hour: ~50,000
  • Token issuance latency: < 200 ms
  • Token validation latency: < 10 ms (stateless JWT)

2) Capacity Planning Method

  • Convert traffic and growth constraints into request rate, storage growth, and concurrency budgets.
  • Keep at least 2-3x safety margin per tier (ingress, compute, storage, async workers).
  • Reserve explicit latency budgets per hop so p95 can be defended in review.

3) Architecture Decisions

  • Auth: Centralize identity verification and keep authorization checks close to domain resources.
  • Databases: Define a clear system-of-record and design read/write paths separately before adding optimizations.
  • API Design: Standardize API boundaries, idempotency keys, pagination, and error contracts first.
  • Caching: Put cache on hot read paths first and pick cache-aside or write-through explicitly.

4) Reliability and Failure Strategy

  • Use short-lived tokens and secure key rotation workflows.
  • Use strong write constraints (transactions or conditional writes) and explicit backup/restore strategy.
  • Apply strict input validation and backward-compatible versioning.
  • Bound staleness with TTL + invalidation hooks for critical entities.

5) Validation Plan

  • Run one peak-load test, one dependency-degradation test, and one failover test.
  • Verify idempotency for all retried writes and async consumers.
  • Track user-facing SLOs first: p95 latency, error rate, and successful throughput.

6) Trade-offs to Call Out in Interviews

  • Auth: Central auth simplifies policy, but makes auth service availability/security critical.
  • Databases: SQL gives stronger transactional guarantees; NoSQL often gives better write scaling and flexibility.
  • API Design: Rich APIs improve developer speed but can create long-term compatibility burden.
  • Caching: Higher hit rate cuts latency/cost, but stale data and invalidation bugs become primary risks.

Practical Notes

  • JWTs are stateless - verification requires no database call (just public key validation). But revocation needs a blocklist (short-lived tokens + refresh tokens reduce this need).
  • Store refresh tokens in the database with a family chain. On reuse detection (token rotation), invalidate the entire family (detect token theft).
  • MFA TOTP: the shared secret is stored server-side (encrypted at rest). Verify the 6-digit code against the current time window ±1.

Learn the Concept

Auth Topic HubDatabases Topic HubAPI Design Topic HubCaching Topic Hub

Related guided labs:

Your First SystemLoad Balancing & Horizontal ScalingDatabase Replication & Read Scaling

Practice Next

Reference SolutionClick to reveal

Why This Solution Works

Request path: The solution keeps ingress, service logic, and stateful dependencies separated so each layer can scale independently.

Reference flow: Web Clients -> Load Balancer -> API Gateway -> API Service -> Auth Service -> Primary SQL DB -> Redis Cache

Design strengths

  • Cache sits on the read path to absorb repeated queries and keep DB pressure stable.
  • Security controls are enforced at ingress to protect downstream capacity.

Interview defense

  • This design makes bottlenecks explicit (ingress, core compute, persistence, async workers).
  • It supports progressive scaling without re-architecting the core request path.
  • It keeps correctness-sensitive state changes in durable systems while offloading background work asynchronously.
Solve in Design Lab →