Welcome to the first lesson of the "OAuth Advanced Features & Integration" course. In today's world, many applications allow users to sign in using accounts from other services, such as Google or Facebook. This is made possible by OAuth, a secure authorization protocol that lets users grant limited access to their information without sharing their passwords. In this lesson, you will learn how to work with a mock OAuth setup, which is a simulated environment for testing OAuth features without needing real third-party accounts.

By the end of this lesson, you will understand how to configure mock OAuth providers, retrieve mock user profiles, and implement account linking and unlinking features. You will also see how to apply important security practices in these workflows. This knowledge will prepare you to build and test advanced authentication features in your own projects and get you ready for hands-on practice in the CodeSignal IDE.

To make development and testing easier, we often use mock OAuth configurations. These allow us to simulate the behavior of real OAuth providers, like Google, without needing to set up actual accounts or credentials. In your project, the oauth_config.py file is responsible for storing these mock settings.

Here's what the oauth_config.py file looks like:

Let's break down what each part does:

The OAUTH_CONFIG dictionary contains mock user details for multiple OAuth providers (Google and GitHub). Each provider has its own set of mock data including a user ID, email, display name, profile picture URL, and a provider identifier. This structure mimics what real OAuth providers would return, allowing you to test OAuth flows with multiple providers.

The AUTH_CONFIG dictionary holds general authentication settings that control security and behavior:

• token_expiry: Defines different expiration times for different authentication methods. Password-based sessions last 1 day, while OAuth sessions last 7 days, reflecting that OAuth is typically more secure.
• rate_limiting: Protects against brute-force attacks by limiting login attempts. sets the maximum number of tries allowed (5), and defines the time window in milliseconds (15 minutes).

The get_mock_oauth_profile function is a helper that returns a mock user profile for a given provider. Here's its implementation:

When you call this function with 'google' or 'github', it pulls the mock user data from OAUTH_CONFIG and returns a dictionary with the user's ID, email, name, profile picture, and provider name. The function uses Python's Literal type hint to ensure only valid provider names ('google' or 'github') can be passed as arguments, providing compile-time type safety.

For example, calling:

will output:

This function is especially useful for testing and development. It allows you to simulate the process of retrieving a user's profile from an OAuth provider, so you can build and test your authentication flows without needing real external accounts.

Account linking is a feature that lets users connect multiple authentication methods to a single account. For example, a user who originally signed up with a password can later link their Google account, so they can log in with either method. This is important in modern applications because it gives users flexibility and a better experience.

The high-level workflow for account linking starts when a logged-in user wants to connect their Google account. The system checks if the user has confirmed this action, verifies that the Google account is not already linked to another user account within the application, and ensures that the email addresses match. If all checks pass, the Google account is linked to the user's profile. The user can then log in with either their password or Google in the future.

The /link/google endpoint is responsible for linking a Google account to an existing user. Let's first look at the complete implementation:

The /unlink/google endpoint allows a user to disconnect their Google account from their profile. Here's the complete implementation:

Before unlinking, the system checks that the user has another way to log in, such as a password. This prevents users from accidentally locking themselves out of their account by removing their only authentication method. The check is performed using if not user.password, which verifies whether a password exists.

If the user has multiple authentication methods, the endpoint removes the Google account ID by setting user.google_id = None and updates the provider field to 'local' since the user will only have password authentication remaining. The changes are committed to the database, the event is logged, and the user receives a confirmation message.

For example, after a successful unlink, the response might be:

Security is a key part of any authentication system. In this setup, several measures are in place to protect users and the application. The AUTH_CONFIG dictionary defines rate limiting, which restricts the number of login attempts in a given time window to prevent brute-force attacks. Token expiry settings ensure that authentication tokens are only valid for a limited time, reducing the risk if a token is stolen.

The system also requires explicit confirmation before linking accounts and prevents duplicate links to the same Google account. These rules help prevent accidental or unauthorized account merges. FastAPI's built-in exception handling provides clear and informative error messages to users with helpful suggestions. Logging important events, such as account linking and unlinking using Python's print() function (which would typically be replaced with proper logging in production), helps with auditing and troubleshooting.

By following these practices, you can build authentication features that are both user-friendly and secure.

In this lesson, you learned how to use mock OAuth configurations to simulate real-world authentication flows. You explored the oauth_config.py file, understood how to retrieve mock user profiles with the get_mock_oauth_profile function, and saw how account linking and unlinking work in detail using FastAPI and SQLAlchemy. You also learned about important security settings and best practices for handling authentication.

Now that you have a solid understanding of these concepts, you are ready to move on to hands-on practice in the CodeSignal IDE. In the next exercises, you will apply what you have learned by working directly with the Python code, testing account linking and unlinking, and exploring how security features are enforced. This practical experience will help you build confidence and prepare you for more advanced OAuth integrations in the future.