As asked
You are starting a B2B SaaS from zero. Walk me through every component of the authentication and authorization system you would build or buy, from email/password to SSO, including session management, token storage on the client, and how multi-tenancy fits in.
Sample answer outline
Strong answer evaluates build vs buy (Auth0, Clerk, Supabase Auth, NextAuth) honestly against team size. If building, covers bcrypt/Argon2 password hashing, short-lived JWTs with refresh tokens stored in httpOnly cookies, CSRF protection, and a roles table keyed on org+user. SSO via SAML or OIDC delegation rather than hand-rolling.
Expect these follow-ups
- A customer's security team asks whether you support SCIM provisioning. What is SCIM and how long does it take to add?
- How do you revoke a JWT before it expires?