Advertisement
Interview Question
Clients intermittently receive 401 Unauthorized even with valid JWTs. Walk through diagnosing and fixing the issue.
Key Points to Cover
- Check token clocks: iat/nbf/exp vs server time; verify NTP drift
- Validate issuer/audience/alg claims and key rotation
- Review leeway/skew configuration in validators
- Inspect load balancers/proxies that strip auth headers
- Add time sync alerts and rotate keys safely
Evaluation Rubric
Considers clock skew and time sync30% weight
Validates token claims/keys properly30% weight
Checks LB/proxy and header handling20% weight
Implements durable remediation20% weight
Hints
- 💡Small clock drift can break strict validators.
Common Pitfalls to Avoid
- ⚠️Assuming the JWT itself is always the problem, neglecting server-side configurations.
- ⚠️Not explicitly checking NTP status and server time synchronization as the first step.
- ⚠️Focusing only on expiration time and ignoring `iat` and `nbf` claims, especially in sensitive applications.
- ⚠️Overlooking the impact of active key rotation and potential delays in key distribution/refreshment.
- ⚠️Incorrectly configuring leeway settings without understanding the implications for security versus tolerance for clock drift.
Potential Follow-up Questions
- ❓How do you rotate JWKS keys?
- ❓What leeway is reasonable?
Advertisement
Related Questions
Questions that share similar topics with this one
SSL vs TLS
Beginner📞 Phone Screen•2 min•Phone
SSH Keys vs Password Authentication
Beginner📞 Phone Screen•1 min•Phone
Secrets Management in CI/CD
Intermediate📞 Phone Screen•2 min•Phone
Linux File Permissions Basics
Beginner📞 Phone Screen•2 min•Phone
Cloud Shared Responsibility Model
Intermediate📞 Phone Screen•2 min•Phone