Okta Software Engineer Case Interview: Designing a Multi‑Tenant Identity and Access Service

This case simulates building a core component of the Okta Identity Cloud for a multi-tenant environment. Candidates will design and reason about a high‑scale, security‑first authentication and authorization service that issues and validates tokens, applies adaptive MFA, and enforces tenant‑scoped policies. Scope and scenario: - You are tasked with designing a Token & Session Service for Okta’s multi‑tenant platform that supports OIDC (Auth Code + PKCE), OAuth 2.0 client credentials, and SAML assertions for enterprise federation. The service must honor per‑tenant policies (passwordless/WebAuthn, step‑up auth, risk‑based challenges), custom domains, and regional data residency. - Non‑functional targets: 50k peak logins/sec globally, p95 token issuance <200ms, 99.99% availability, zero customer data cross‑tenant leakage, key rotation with <1 min propagation, and graceful degradation during IdP/3rd‑party outages. What the interviewer focuses on (Okta‑specific): - Protocol depth: OIDC/OAuth 2.0 grants and scopes, refresh token rotation, token exchange, JWKs and key rotation, RS256/ES256 signing, JWKS caching and kid pinning, SAML SP‑initiated vs IdP‑initiated nuances, SCIM provisioning and JIT user creation. - Multi‑tenancy and isolation: tenant sharding strategies, per‑org rate limits/quotas, policy engines scoped to an org, blast‑radius reduction, safe rollout/feature flags per tenant, and data partitioning for workforce vs customer identity use cases. - Security posture: threat modeling (token leakage, replay, consent phishing, authz bypass, SSRF on metadata fetch), step‑up triggers (risk signals like device posture, IP reputation, impossible travel), WebAuthn/passkeys, secrets handling (HSM/KMS), key ceremonies, mTLS between services, and secure defaults. - Reliability and scale: stateless token issuance with distributed caches, idempotency and backpressure, circuit breaking for upstreams (email/SMS/WebAuthn attestation services), global traffic management and region failover, schema evolution for user/profile/credential objects, and audit/event streaming to SIEM via System Log. - Product fit and customer empathy: balancing frictionless login with security, migration strategies from a legacy IdP, compatibility with 7,000+ integrations, and clear trade‑offs that reflect Okta’s customer‑centric culture. Interview flow (collaborative, whiteboard‑first): 1) Clarify requirements (10 min): Identify tenants, identity stores (directory vs social), supported flows, step‑up policies, and SLAs. Call out assumptions and risks. 2) High‑level design (20 min): Present a block diagram: AuthN gateway, policy engine, token service, key management/JWKS, session store, risk service, org config store, and audit pipeline. Explain request flow for: a) OIDC auth code + PKCE, b) SAML federation, c) API client credentials. 3) Deep dive (15 min): - Key rotation and JWKS propagation without breaking validation. - Per‑tenant rate limiting and abuse detection. - Adaptive MFA decisioning and step‑up during sensitive actions. 4) Security and failure modes (10 min): STRIDE‑style threats, incident response plan, blast‑radius controls, safe rollout/canary. 5) Implementation sketch (10 min): Pseudocode or API design for issuing/validating JWTs (claims, aud/iss/sub, nonce/state), refresh rotation, and session revocation. Include telemetry (metrics/traces/logs) and SLOs with error budgets. What good looks like: - Demonstrates protocol correctness, strong isolation guarantees, and pragmatic scaling choices. - Surfaces trade‑offs (e.g., stateless vs stateful sessions, ES256 vs RS256, cache TTLs vs consistency) and ties them to tenant experience and security. - Communicates clearly, invites feedback, and iterates—mirroring Okta’s collaborative, security‑first, customer‑obsessed culture. Common pitfalls to probe: - Treating tokens as opaque without rotation/revocation strategy. - Ignoring tenant scoping in caches/rate limits. - Hand‑waving key management, metadata fetching, and federation edge cases. - Missing observability and rollback plans. Prompts the interviewer may use: - “Design the token issuance and validation path for a tenant with custom domains and ES256 signing; how do you rotate keys with zero downtime?” - “Add adaptive MFA for high‑risk logins; what signals do you use and where do you enforce step‑up?” - “A partner’s SAML IdP is flaky; how does your system degrade while honoring SLAs and auditability?” - “How do you prevent cross‑tenant data access during cache warmups and incident scenarios?”