Security Basics: Authn vs Authz, OAuth2/OIDC, Secrets, Encryption

Definition

Authentication (authn) — Proving who you are (users, services). Authorization (authz) — Deciding what you may do after identity is known. Confusing them is a common interview mistake.

OAuth2 — Delegation framework: a resource owner grants a client limited access to resources via tokens, often without sharing passwords. It is not authentication by itself—know the grant types at a high level (authorization code with PKCE for public clients).

OpenID Connect (OIDC) — Identity layer on OAuth2: ID Token (JWT) asserts who the user is; UserInfo endpoint; standard scopes and claims. "Login with Google" is typically OIDC.

Secrets management — Vault, cloud KMS/Secrets Manager, rotation, least privilege, no secrets in git. Short-lived credentials preferred over long-lived keys.

Encryption in transit — TLS between clients and services and mTLS inside the mesh/VPC boundaries where required.

Encryption at rest — Disk/volume encryption (cloud-managed keys), application-level encryption for field-level sensitivity (PII columns) with envelope encryption (data key encrypted by KMS master key).

Why it matters in interviews

Security is often out of scope until it is not. You should place OAuth2 vs OIDC, RBAC vs ABAC, secrets vs configs, and where keys live without derailing the whole design. Compliance-adjacent mention (audit logs, PII minimization) scores well.

Tradeoffs

JWT at edge — Fast validation; revocation harder than opaque server-side sessions unless short TTL + refresh or denylist.
Fine-grained authz — OPA/Cedar or custom policy engines add latency and complexity—worth it for enterprise tenants.
Encrypt everything at rest — Baseline compliance; field-level encryption adds query limits (no free-text search on ciphertext without tricks).

Concrete examples

B2C mobile app — OIDC login; access token calls API; RBAC roles in JWT claims or fetched from policy service for sensitive actions.
Microservices — mTLS between services in mesh; SPIFFE identities; secrets from Vault with dynamic DB credentials.
Healthcare SaaS — PHI fields encrypted at application layer; audit trail on read/write; break-glass access logged.

How to say it in 30 seconds

"I separate authn from authz. OIDC establishes identity; OAuth2 scopes delegate access. Secrets never live in repos—I use a manager and rotation. TLS everywhere on the wire; at-rest encryption is platform default plus field-level where regulation demands."

Common follow-up questions

How do you revoke JWTs? Short TTL, refresh rotation, server-side blocklist for critical events, or session version in DB.
OAuth2 authorization code flow — why PKCE? Public clients cannot hold client secrets; PKCE prevents authorization code interception.
Difference between encryption and hashing passwords? Passwords hash with slow KDF (Argon2/bcrypt); encryption is reversible with a key—wrong tool for passwords.

Cross-links (building blocks)

API gateway, rate limiting, WAF, IAM, and tenant isolation implement security patterns—see System design curriculum overview.

On this page