Most Frequently asked OAuth 2 Interview Questions (2024)

In this post, OAuth interviews questions will be answered for Experienced and Freshers. We're trying to share our experience and learn how to help you make progress in your career.

Q: What is OAuth?
Ans:

OAuth (Open Authorization) is an open standard for token-based authentication and authorization. OAuth, allows third-party services, such as Facebook, to use account information from an end-user without exposing the user's password.

Q: What is OAuth 1.0?
Ans:

OAuth 1.0 addressed delegation with a framework based on digital signatures in December 2007. It was secure and it was strong. However, OAuth 1.0 required crypto-implementation and crypto-interoperability. Although safe, implementing this has been a challenge for many developers. Then arrived OAuth 2.0 in October 2012. NoteThis specification was obsoleted by OAuth Core 1.0 Revision A on June 24th, 2009 to address a session fixation attack.

Q: What is OAuth 2.0?
Ans:

OAuth 2.0 released in October 2012 to overcome the problem as specified above in OAuth 1.0. The OAuth 2.0 authorization framework allows a third-party application to gain limited access to an HTTP service, either on behalf of a resource owner by orchestration of an approval agreement between the resource owner and the HTTP service, or by requiring the third-party application to obtain access on its own behalf.

Q: What is difference between OAuth1.0 vs OAuth2.0?
Ans:

OAuth 2.0 is not backwards compatible with OAuth 1.0 or 1.1. OAuth1.0 vs OAuth2.0

Q: What is OAuth2 grant type?
Ans:

An grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
This specification defines four grant types:

1. Authorization Code
2. Implicit
3. Resource Owner Password Credentials
4. Client Credentials

Q: How to secure the generated token or secure sensitive data.

Normally, these credentials are stored in the config properties. Storing credentials the secure way is a challenge with limiting access and a true secure storage. Vault is the solution for storing sensitive data. It provide secure secret storage, data encryption, support for secret revocation.. Spring Cloud Vault is a configuration extension similar to Spring Cloud Config. Spring Cloud Config targets external configuration management backed by data stored in various repositories, such as GitHub, SVN or even Vault.

Refer Spring Cloud Vault for implementation.

Q: What is Resource Owner Password Credentials? How to implement Resource Owner Password Credentials?
Ans:

The Password grant type is a way to exchange a user's username and password for an access token. Since the client application has to collect the user's password and send it to the authorization server.

Password Grant Type Flow

The flow shown in above Figure includes the following steps:

1. The resource owner provides the client application with it's username and password.
2. The Client Application requests an access token from the Authorization Server by passing credentials received from the resource owner.
3. The Authorization Server authenticates the client by validating the resource owner credentials. Once Validation is successful and if request is valid, it sends an access token.
4. Client sends the received access token to Resource Server to access the resource end point.
5. Resource Server validates the access token by calling Authorization Server.
6. If the token is valid, resource server return the requested resource to Client.

Refer Password Grant Type Example for implementation.

Q: What is Client Credentials Grant Type? How to implement Client Credentials Grant Type?
Ans:

With the Client Credentials grant type, an app sends its own credentials (the Client ID and Client Secret) to Authorization Server to generate an access token. If the credentials are valid, Authorization Server will return an access token to the client app.
Client Credentials grant type flow occurs mainly between a client app and the authorization server. An end user does not participate or contribute in this grant type flow.

To understand client credentials grant, consider Trivago app, a hotel aggregator portal which will act as a client application. In order to access or get data from makemytrip.com, Trivago Server will authenticate itself by calling makemytrip's authorization server to get access token and then using this token access the makemytrip resource server to get the search result.

Client Credentials Grant Type Flow

The flow shown in above Figure includes the following steps:

1. The Client Application requests an access token from the Authorization Server by passing it's credentials.
2. The Authorization Server authenticates the client by validating the client_id and client_secret. Once Validation is successful and if request is valid, it sends an access token.
3. Client Application sends the received access token to Resource Server to access the resource end point.
4. Resource Server validates the access token by calling Authorization Server.
5. If the token is valid, resource server return the requested resource to Client Application.

Refer Client Credentials Grant Type Example for implementation.

Q: How to implement OAuth with Google Authorization?
Ans:

Refer OAuth2 - Google Authorization Server for implementation of external Authorization Server.

Q: What is client_id (client identifier) in OAuth?
Ans:

Once you sign in via Google, Stackoverflow is required to register on Google, the Google service must issue client credentials in the form of a client identifier and a client secret. The Client Id is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are provided to users.

Refer OAuth2.0 Introduction for more information.

Q: What are the benefits of using OAuth default access token vs JWT as OAuth access token?
Ans:

Refer Advantage of JWT as OAuth Access Token Vs OAuth Default Token .

Q: What is callback URL?
Ans:

Token-based authentication allows users to validate their identity, and in return user receive a unique access token to access resource. Once the user is logs out from the app, the token is invalidated. It is considered to be secured way of authentication.

Q: What is Callback URL in OAuth0?
Ans:

Callback URLs are the URLs that Auth0 calls after the authentication process has completed. Auth0 returns to this URL and appends new parameters to it, including an authentication code that will be exchanged for an id token, access token, and refresh token.

Q: What is Redirect URI in OAuth2.0?
Ans:

Redirect URLs are an important element of the OAuth flow. When a user successfully authorizes an application, the authorization server redirects the user to the application with an authorization code or access token in the URL.

Q: What is OAuth and JWT?
Ans:

JWT is essentially a token format. JWT is a token that can be used as part of the OAuth authorization protocol. Server-side and client-side storage are used in OAuth. If you want to make a proper logout, you'll need to use OAuth2. Authentication with a JWT token does not allow you to logout.

Refer Implementation of OAuth2 with JWT Access Token Example.

Q: What is PKCS12?
Ans:

PKCS12 Public Key Cryptographic Standards is a password-protected format that can include many certificates and keys, it is a format mainly used in the industry.

Q: What is JKS?
Ans:

Java KeyStore is identical to PKCS12, it is a proprietary format limited to the Java environment.

Refer Example of generating Keystore and integrating with Spring Boot Application

Q: What is AbstractSecurityInterceptor in Spring Security?
Ans:

The AbstractSecurityInterceptor in Spring Security handles the initial authorization of an incoming request.

There are two concrete implementations of the AbstractSecurityInterceptor:

1. FilterSecurityInterceptor

   The Spring Security filter chain's default filter. All authenticated user requests will be authorised by the FilterSecurityInterceptor.

2. MethodSecurityInterceptor

   This is required for method level security to be implemented. It enables us to apply security to our programme at the method level.

What is Spring Boot Method-Level Security?

The @PreAuthorize annotation is used on controller methods to implement method-level security. This annotation comprises a snippet of Spring Expression Language (SpEL) that is evaluated to determine whether the request should be authenticated.

Refer implementation of Spring Boot Method Security with PreAuthorize Example

Q: What is difference of using @PreAuthorize and @Secured in Spring Security?
Ans:

@PreAuthorize annotation is used to check for authorization before executing the method.

We could alternatively use the @Secured annotation in spring to handle method-level security, however it has several limitations, such as

1. We cannot have several conditions with the @Secured annotation, i.e. the roles cannot be coupled with an AND/OR condition.
2. Spring expression language is not supported by the @Secured annotation.

Q: What is the difference between hasRole() and hasAuthority()?
Ans:

Spring roles are authorities with the ROLE_prefix. Another thing to understand of it is that roles are meant for broad sets of permissions, whereas authorities are meant for finer-grained management. However, that is only one possible usage. The developer is in charge of the actual implementation. In this tutorial, authorities are used to map to authorization groups.

@PreAuthorize("hasAuthority('Admin')")
@RequestMapping("/fetch-users")
@ResponseBody
public String protectedUserPage() {
    return "TechGeekNext User";
}

------------------------------------------

@PreAuthorize("hasRole('admin')")
@RequestMapping("/fetch-users")
public String protectedUserPage() {
    return "TechGeekNext User";
}

The crucial thing to remember is that in order to use hasRole(), the authority name in the claim must begin with ROLE_. You might, for example, use hasRole('ADMIN') if you created a ROLE ADMIN group and added your user to it.

Q: What is difference between Spring Security's @PreAuthorize and HttpSecurity?
Ans:

1. The first distinction is small, but it is important to note. Before controller mapping occurs, the HttpSecurity function rejects the request in a web request filter. The @PreAuthorize assessment, on the other hand, occurs later, directly before the controller method is executed. This means that HttpSecurity configuration is done before @PreAuthorize.
2. Second, HttpSecurity is associated with URL endpoints, whereas @PreAuthorize is associated with controller methods and is located within the code next to the controller definitions.
3. The use of SpEL (Spring Expression Language ) is another advantage that @PreAuthorize has over HttpSecurity.

Q: How to enable Method-level Security for Spring?
Ans:

The @PreAuthorize annotation is enabled by the @EnableGlobalMethodSecurity(prePostEnabled = true) annotation.

@Component
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
.......
.......
}

Refer for complete implementation of Spring Boot Method Security with PreAuthorize Example

Q: How to use Authorization Based On OAuth 2.0 with PreAuthorize?
Ans:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(final HttpSecurity http) throws Exception {
        http.antMatcher("/**")
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            //.and().formLogin();   // <-- Without OAUTH 
            .and().oauth2Login();  // <-- With OAUTH
    }
}

Q: Which open source tools are available for Oauth 2.0 /SAML/ OpenID Connect based SSO?
Ans:

Keycloak is a modern application and service-oriented open source Identity and Access Management system. Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console are some of the features offered by Keycloak.

It works with a variety of protocols, including Oauth 2.0, SAML 2.0 and OpenID Connect. User credentials can also be stored locally or via an LDAP or Kerberos backend.

When a user logs in successfully with Keycloak, they are given a token, which is saved as a cookie in the browser, and they are automatically sent back to the service they were trying to access. This token usually includes a username as well as information about the user's permissions.

Refer Spring Boot Keycloak SSO Example to understand it's implementation.