What is the purpose of OAuth 2.0?
It allows a Resource Owner (RO) to delegate limited access to their resources to a Client
(C) without sharing their credentials — using tokens issued by an Authorisation Server
(AS) and consumed by a Resource Server (RS).
Who are the four participants in the OAuth 2.0 workflow?
- Resource Owner (RO): The user who owns the data.
- Client (C): The application requesting access on behalf of the RO.
- Authorisation Server (AS): Authenticates the RO and issues tokens.
- Resource Server (RS): Hosts the resource and validates the access token.
What are the key steps in the Authorization Code Workflow?
- Client → RO: Client presents a login/authorization URL.
- RO → AS: User authenticates with the Authorisation Server and approves access.
- AS → C: AS redirects to the client’s redirect URI, including an authorization code.
- C → AS: Client exchanges the authorization code (and its client secret) for an access token.
- C → RS: Client sends the access token to the Resource Server to access the resource.
- RS → C: Resource Server validates the token and provides access.
Why is this called the “authorization code” flow?
Because the authorization code serves as an intermediate credential, keeping the access token secure — it’s exchanged server-to-server, not exposed in the user’s browser.
What is a redirection URL and why is it important?
It tells the Authorisation Server where to send the user (and authorization code) after they approve the app.
It must be registered and match exactly to prevent interception or redirect attacks.
Which participant registers and validates the redirect URL?
The Client registers it.
The Authorisation Server validates it during authorization.
Why must redirection URIs use HTTPS?
Because they carry sensitive data (authorization codes or tokens) that could otherwise be stolen.
What differs in the implicit grant flow?
The authorization code step is skipped.
The access token is delivered directly to the client via the browser’s URL fragment.
When is the implicit grant used?
When the client cannot store secrets securely — e.g., JavaScript single-page apps or mobile apps.
What are the security consequences of using the implicit flow?
Tokens are exposed to the browser and possibly logs.
No client authentication (no secret presented).
Higher risk of token theft — hence, PKCE (Proof Key for Code Exchange) is now preferred.
Can transactions in a public blockchain (like Bitcoin) ever be considered truly permanent?
Not immediately.
Transactions are considered confirmed after they appear in a block that is followed by several additional blocks (typically 5–6).
Persistence is probabilistic — the longer the chain after a block, the harder it is to replace it.
What mechanism enforces persistence?
The longest chain rule — nodes always consider the longest valid chain as the canonical ledger.
What happens when miners detect a blockchain fork longer than their current one?
They switch to mining on the longest fork, discarding their shorter one.
Why is it in a miner’s interest to follow the longest fork?
Because only the longest chain is accepted network-wide — mining on a shorter chain wastes computational effort and forfeits block rewards.
What causes forks?
Simultaneous block discoveries, network delays, or intentional attacks (e.g., selfish mining).
Why does Bitcoin tolerate a lower fraction of malicious nodes (< 33%)?
Because in Proof-of-Work, influence depends on computational power, not just node count.
Consensus is achieved as long as honest miners control >50% of total hash power.
Why do even centralised organisations use consensus algorithms like Paxos or Raft?
- Reliability and fault tolerance: Ensures consistency even if some servers fail.
- Atomic broadcast: Guarantees all nodes process updates in the same order.
- Coordination for distributed systems: Tools like ZooKeeper, etcd, and Kubernetes use consensus for leader election and configuration replication.
How do these differ from blockchain consensus?
They operate in trusted, closed environments (no malicious nodes), so they can use faster, simpler algorithms (CFT instead of BFT).
What is Proof-of-Work (PoW)?
A consensus mechanism where miners must solve a computationally expensive hash puzzle — proving they expended real effort — to add a block.
Why is PoW secure?
Because rewriting history would require redoing the proof-of-work for all subsequent blocks — computationally infeasible without majority control.
What is Proof-of-Stake (PoS)?
Validators are chosen based on the cryptocurrency they “stake.” Misbehavior risks losing that stake, aligning incentives toward honesty.
What is the key environmental difference between PoW and PoS?
PoW consumes large amounts of energy; PoS requires only staking and verification, making it more sustainable.
What is Proof-of-Space?
A system where users prove they have allocated a certain amount of storage space (instead of computation) — e.g., “graph pebbling” methods.
What is the goal of Web3?
To build decentralised applications (dApps) that don’t depend on central authorities — leveraging blockchains, peer-to-peer networks, and smart contracts.
