You're joining the BuilderEx team at a travel loyalty company that operates identity and authentication for multiple partner brands. The team is mid-migration to a unified OAuth 2.0/OpenID Connect identity provider — three legacy auth systems are consolidating into one, but the migration is not complete.
The problem you've been handed on your second week: The fraud team has flagged a pattern — 847 logins over the past 30 days succeeded (valid credentials, valid OIDC token issued) but showed anomalous post-auth behavior: unusual geolocation, device switches within minutes of login, then immediate redemption requests against high-value loyalty accounts.
The current system trusts a valid token completely. There is no post-authentication risk assessment.
Your manager asks you to build a risk-scoring middleware that sits in the post-authentication flow. After a valid OIDC token is issued, your middleware receives a login event payload and returns a structured risk_decision object that downstream systems use to determine whether to allow, step-up-authenticate, or block the session.
Constraints:
AI Usage Guidance: Using AI tools is expected and encouraged — how you use AI is part of what's evaluated. Your video walkthrough must include this mandatory question: "Walk me through one moment where you disagreed with, pushed back on, or redirected what the AI gave you — and what you did instead. Name the specific moment. Explain what the AI produced that didn't meet the bar, what you did differently, and why."
Demonstrate ability to design a post-authentication risk scoring system that integrates with an existing OAuth 2.0/OIDC flow without modifying it
Build a risk scoring implementation that balances security signal accuracy with the real cost of false positives on legitimate users
Show production engineering judgment: code structure, error handling, and observability appropriate for an on-call ownership model
Design an API output that serves both downstream engineering systems and non-technical compliance audit requirements
Document architectural trade-offs, incident response thinking, and AI collaboration process
On this page