Sign in service discussion in an interview

I gave an interview recently. The question was that you have already created a web app and now now want to enable user login /logout and signup related servives from the functional perspective as you want only authentic autharized users to use your service .

So I said I will use the amazon cognito service as that gives you out of the box sign up from gmail/facebook etc as well but he was interesed in custom signin-signup . So he said how will you handle that. So I said that can be handed by amazon cognito or other othentication providers .

He still was not convinced . he give me hint. So he said that there are laws which needs to be abided for authentication and authorizarion and one such law dictates that a develper should not be able to print the username and password for his end customer and that is the reason to direct most of our calls to third party services like cognito ; but then how do you hadle your username and password and reset password something which is associated with you .

Overall i was not selected but i wanted to know how are things of sign in and sign up user flows are handled .

Hi @manish, hope you are doing well.

I think that the interviewer was interested about how YOU would design a Sign In/Authentication service. Of course that, in a real world scenario, you could use a third party service, making sure that the data is stored locally and all laws are properly handled by this provider. But in an interview context, you should get in details how you handle this.

For example, I would design a new service, which is used by the web services. This service is consulted to check if the user is authorized or not. If not, the web service do not allow access and redirects the user to a proper page to user provide his credentials OR SignIn, routed by a reverse proxy or a service discovery. This service, should have a database with the users, the respective encrypted passwords and any other relevant information (i.e. email, last sign in, …). Something like that… This service can have a global cache to keep tracking of recent access, it should be High Available, Reliable and consistent (we don’t wanna a user changing his password and after a logout he should be using his new brand password).

Well, of course, a SD interview requires a lot of context and chat with the interviewer. It is a open question and believe me, solutions out of the box are not what they want.

Hope this helps.

Artur Baruchi