What is the difference between JWE (JSON Web Encryption) and JWS (JSON Web Signature) and when would you use each?

Heisenbug logo
TheHeisenBug

Search

Search across questions, learning content, and hands-on projects

Ace Your Next Tech Interview

5,986+ interview questions across 87 technologies — with expert answers, advanced search, AI-powered assistance, personal highlights, structured learning paths, and hands-on practice projects.

5,986+Questions & Answers
87Technologies
AdvancedSearch
Built-inAsk AI
PersonalHighlights
StructuredLearning Paths
Hands-onPractice Projects

Lifetime Access

One-time payment. No subscriptions. Unlock everything, forever.

$19.90USD

or R$49.90 BRL

FeatureFreePremium
Question titlesAllAll
Answers per topicTop 5All
Learning chaptersFirst 5All
Practice projectsFirst 3All
Highlights
Ask AI
Read tracking
Search

Authentication & OAuth Interview Questions

  1. [JUNIOR] What is authentication and how does it differ from authorization?
  2. [JUNIOR] What is OAuth and what problem does it solve?
  3. [JUNIOR] What is a JSON Web Token (JWT) and what is its structure?
  4. [MID] How does the OAuth 2.0 Authorization Code grant flow work step by step?
  5. [MID] What is PKCE (Proof Key for Code Exchange) and how does it enhance OAuth 2.0 security?
  6. [JUNIOR] What are the main components (roles) of the OAuth 2.0 framework?
  7. [JUNIOR] What is the difference between access tokens and refresh tokens?
  8. [JUNIOR] What is session-based authentication and how does it work?
  9. [JUNIOR] What is token-based authentication and how does it differ from session-based authentication?
  10. [MID] How do refresh tokens work in OAuth 2.0 and what is their lifecycle?
  11. [MID] How does the state parameter prevent CSRF attacks in OAuth flows?
  12. [MID] How do you handle token expiration and renewal in an application?
  13. [MID] How do you store JWTs securely on the client side?
  14. [SENIOR] How would you implement OAuth 2.0 in a microservices architecture with secure token propagation?
  15. [SENIOR] How do you invalidate or revoke JWT tokens given that they are stateless?
  16. [SENIOR] What are the main security vulnerabilities in OAuth 2.0 and how can you mitigate them?
  17. [JUNIOR] What is the purpose of the client ID and client secret in OAuth?
  18. [JUNIOR] What is the purpose of the redirect URI in the OAuth flow?
  19. [JUNIOR] What are scopes in OAuth and why are they important?
  20. [JUNIOR] What is OpenID Connect (OIDC) and how does it relate to OAuth 2.0?
  21. [JUNIOR] What is single sign-on (SSO) and how does it benefit users?
  22. [MID] How does the Implicit grant flow work and why is it no longer recommended?
  23. [MID] How does the Client Credentials grant flow work and when is it appropriate to use it?
  24. [MID] How does JWT compare to session-based authentication in terms of security and scalability?
  25. [MID] What are JWT claims and what are the commonly used standard claims such as iss, sub, aud, and exp?
  26. [MID] What is the role of the ID Token in OpenID Connect and what information does it contain?
  27. [MID] How can you revoke an access token in OAuth 2.0?
  28. [SENIOR] How do you protect against token leakage and token theft in OAuth implementations?
  29. [SENIOR] How would you implement logout functionality in an OAuth 2.0 and OpenID Connect application?
  30. [SENIOR] How do you implement role-based access control (RBAC) using OAuth scopes and JWT claims?
  31. [SENIOR] How do you implement OAuth 2.0 with PKCE in single-page and mobile applications?
  32. [SENIOR] How would you design an OAuth solution that safeguards against cross-site request forgery (CSRF) attacks?
  33. [JUNIOR] What is multi-factor authentication (MFA) and why is it important?
  34. [JUNIOR] What are HTTP status codes 401 and 403 and how do they relate to authentication and authorization?
  35. [MID] What is the difference between symmetric and asymmetric signing algorithms in JWT?
  36. [MID] How does OAuth support single sign-on (SSO) across multiple applications?
  37. [SENIOR] How would you design an API gateway to manage OAuth and OIDC flows for access control?
  38. [SENIOR] How do you implement token introspection in OAuth 2.0 and when is it needed?
  39. [SENIOR] How would you implement JWT key rotation and what are the considerations?
  40. [SENIOR] What are the best practices for OAuth token expiration and refresh strategies in distributed systems?
  41. [EXPERT] What are the trade-offs between stateful and stateless authentication architectures at scale?
  42. [JUNIOR] What is the difference between OAuth 1.0 and OAuth 2.0?
  43. [MID] How does the Resource Owner Password Credentials flow work and when should it be used?
  44. [MID] How does OAuth differ from SAML as an authentication and authorization protocol?
  45. [MID] What is the difference between opaque tokens and JWTs?
  46. [MID] What is the UserInfo endpoint in OpenID Connect and how is it used?
  47. [SENIOR] What is the purpose of the kid (Key ID) header parameter in JWT key management?
  48. [SENIOR] What are Pushed Authorization Requests (PAR) and how do they improve OAuth security?
  49. [SENIOR] What is token exchange in OAuth 2.0 and when would you use it in a microservices architecture?
  50. [SENIOR] How do you handle JWT validation in load-balanced environments?
  51. [EXPERT] What is the difference between JWE (JSON Web Encryption) and JWS (JSON Web Signature) and when would you use each?
  52. [EXPERT] How would you implement a zero-trust authentication architecture using OAuth 2.0 and JWT?
  53. [EXPERT] How would you implement cross-origin single sign-out across multiple services in an OIDC system?
  54. [EXPERT] How do you implement OAuth and OIDC for federated identity across multiple identity providers?
  55. [EXPERT] How do you design a token revocation mechanism that scales in a distributed system?
  56. [MID] How does the OAuth bearer token differ from the MAC token?
  57. [EXPERT] How do you handle JWT clock skew and time synchronization issues in distributed systems?
  58. [EXPERT] What is the back-channel logout mechanism in OpenID Connect and how does it work?
  59. [EXPERT] What are the OIDC response types and how do they affect authentication flows including the Hybrid Flow?
  60. [EXPERT] How would you implement the OAuth 2.0 Device Authorization grant for input-constrained devices?
  61. [EXPERT] What is Dynamic Client Registration in OpenID Connect and when would you use it?
  62. [EXPERT] How would you prepare JWT implementations for post-quantum cryptographic algorithms?