Welcome to the first lesson of the "OAuth Advanced Features & Integration" course. In today's world, many applications allow users to sign in using accounts from other services, such as Google or Facebook. This is made possible by OAuth, a secure authorization protocol that lets users grant limited access to their information without sharing their passwords.

In this lesson, you will learn how to work with a mock OAuth setup - a simulated environment for testing OAuth features without needing real third-party accounts.

What You'll Learn:

• Configure mock OAuth providers
• Retrieve mock user profiles
• Implement account linking and unlinking features
• Apply security best practices in authentication workflows

This knowledge will prepare you to build and test advanced authentication features in your own projects and get you ready for hands-on practice in the CodeSignal IDE.

To make development and testing easier, we use mock OAuth configurations. These simulate the behavior of real OAuth providers like Google without needing actual accounts or credentials.

In your project, two files manage these mock settings:

• OAuthConfig.java - Stores mock user profiles for different OAuth providers
• AuthConfig.java - Controls authentication behavior and security settings

Key Components:

Provider Enum: Defines available OAuth providers (Google and GitHub) using Java's enum type for compile-time safety.

MockProfile Class: Encapsulates mock user details including user ID, email, display name, profile picture URL, and provider identifier. This structure mimics what real OAuth providers would return.

OAUTH_CONFIG Map: Associates each provider with its mock data using Java's Map.of(), which creates an immutable map for additional security.

Key Components:

TokenExpiry: Defines different expiration times for authentication methods. Password-based sessions last 1 day, while OAuth sessions last 7 days (OAuth is typically more secure).

RateLimiting: Protects against brute-force attacks. Allows maximum 5 attempts within a 15-minute window (900,000 milliseconds).

Security: Controls account linking behavior. Requires explicit user confirmation and prevents multiple users from linking to the same OAuth account.

The getMockOAuthProfile method is a static helper that retrieves mock user profiles:

How It Works:

Call the method with Provider.GOOGLE or Provider.GITHUB, and it returns a MockProfile object from the OAUTH_CONFIG map. The enum ensures only valid provider values can be passed, providing compile-time type safety.

Example Usage:

Output:

This method is essential for testing authentication flows without real external accounts.

Account linking lets users connect multiple authentication methods to a single account. For example, a user who signed up with a password can later link their Google account for flexible login options.

High-Level Workflow:

1. Logged-in user initiates Google account linking
2. System verifies user has confirmed the action
3. System checks the Google account isn't already linked to another user
4. System validates email addresses match
5. If all checks pass, Google account is linked to user profile
6. User can now log in with either password or Google

The /api/account/link/google endpoint is responsible for linking a Google account to an existing user. Let's examine how it works by breaking down its key components.

When a user sends a linking request, the endpoint performs several security checks:

Token Verification: The verifyToken method checks the Authorization header, decodes the JWT token, and loads the user from the database. Invalid tokens receive a 401 error.

Confirmation Check: Verifies explicit user confirmation if required by AuthConfig.SECURITY.requireConfirmation. Missing confirmation returns a 400 error with linking details.

Duplicate Account Check: Queries the database to check if the Google account is already linked to a different user. If found and preventDuplicateLinks is enabled, the request is blocked to prevent security issues.

Email Validation: Compares email addresses between the current user and Google account. Mismatches are blocked to prevent unauthorized account merges.

If all checks pass, the endpoint updates the user's profile:

Updates Made:

• Sets the Google account ID
• Marks email as verified
• Updates provider field (to 'mixed' if user previously had only local account)
• Optionally sets profile image

Changes are persisted using users.save(user), which Spring Data JPA translates into an SQL UPDATE statement. The event is logged using System.out.println (typically replaced with SLF4J in production).

A successful linking returns confirmation and updated account status:

The /api/account/unlink/google endpoint allows users to disconnect their Google account. Let's examine its components.

The endpoint performs two critical checks:

Token Verification: Verifies user identity using the JWT token in the Authorization header.

Remaining Authentication Methods: Counts available authentication methods by checking if user.getPassword(), user.getGoogleId(), and user.getGithubId() are non-null. This prevents users from locking themselves out by removing their only authentication method.

When unlinking is allowed, the endpoint updates the user profile:

Updates Made:

• Removes Google account ID
• Updates provider field based on remaining methods
  • One method remaining: Sets to 'local' or 'github'
  • Multiple methods remaining: Sets to 'mixed'

Changes are persisted using users.save(user), and the event is logged.

A successful unlink returns confirmation and updated account status:

Security is critical in authentication systems. This setup implements several protective measures:

Rate Limiting: The AuthConfig.RATE_LIMITING settings restrict login attempts to prevent brute-force attacks. Maximum 5 attempts are allowed within a 15-minute window.

Token Expiry: Authentication tokens have limited validity periods, reducing risk if a token is stolen. Password sessions last 1 day; OAuth sessions last 7 days.

Account Protection:

• Requires explicit confirmation before linking accounts
• Prevents duplicate links to the same OAuth account
• Blocks removal of the last authentication method

Clear Error Messages: Spring Boot's ResponseEntity builder pattern provides informative error messages with helpful suggestions for users.

Event Logging: Important actions like account linking and unlinking are logged using System.out.println (typically replaced with SLF4J or another logging framework in production) for auditing and troubleshooting.

These practices help build authentication features that are both user-friendly and secure.

What You've Learned:

• How to use mock OAuth configurations to simulate authentication flows
• The structure and purpose of OAuthConfig.java and AuthConfig.java
• How to retrieve mock user profiles with the getMockOAuthProfile method
• How account linking and unlinking work using Spring Boot and Spring Data JPA
• Important security settings and best practices for authentication

Next Steps:

You're now ready for hands-on practice in the CodeSignal IDE. In the upcoming exercises, you'll:

• Work directly with Java code
• Test account linking and unlinking
• Explore how security features are enforced

This practical experience will build your confidence and prepare you for more advanced OAuth integrations in the future.