Introduction

Welcome to the next step in our journey of implementing OAuth authentication with Python! In our previous lessons, we explored the fundamentals of OAuth and even built a mock Google OAuth flow. These foundational concepts are crucial as we now focus on modifying a user model to accommodate OAuth authentication. This lesson will guide you through the necessary changes to the user model, ensuring it supports OAuth while maintaining security and functionality. Let's dive in! 🚀

Understanding the User Model Structure

Before we modify the user model for OAuth, it's essential to understand its basic structure. In Python, we use SQLAlchemy to define models, which helps manage database interactions efficiently. Here's a simple example of a user model structure:

In this code, we define a User class that inherits from Base, which is SQLAlchemy's declarative base class. The __tablename__ attribute specifies the table name in the database. We then define columns using the Column class:

  • id: An integer column that serves as the primary key and auto-increments.
  • username: A string column that stores the username.
  • password: A string column that stores the password.

Each Column receives a data type (like Integer or String) and optional parameters like primary_key, autoincrement, and nullable. This structure forms the basis for our modifications to support .

Why OAuth Users Don't Need Passwords

In traditional authentication, users create accounts directly with your application, providing a username and password that your system stores and validates. However, OAuth authentication follows a completely different flow that eliminates the need for local password storage.

Here's how OAuth authentication works:

  1. User Initiates Login. The user clicks "Login with Google" (or another provider).
  2. Redirect To Provider. Your application redirects the user to Google's authentication server.
  3. User Authenticates With Provider. The user enters their credentials directly with Google (not your application).
  4. Provider Issues Authorization Code. Google verifies the user and sends an authorization code back to your application.
  5. Exchange Code For Access Token. Your application exchanges this code for an access token.
  6. Retrieve User Information. Using the access token, your application requests the user's profile information from Google.

The key insight is that the user never provides their password to your application. Google handles all password verification on their secure servers. Your application only receives verified user information (like email and name) after Google confirms the user's identity.

This approach offers several advantages:

  • Enhanced Security. Your application never stores or handles user passwords.
  • Reduced Liability. You don't need to implement password security measures.
  • Better User Experience. Users can leverage their existing accounts without creating new passwords.
Making Password Optional

To accommodate OAuth authentication, we need to modify the user model. The first step is to make the password field optional, as OAuth users authenticate through external providers and don't require a local password.

By setting nullable=True, we ensure that the password column is optional, allowing OAuth users to be created without a password. This is different from the default behavior, where nullable=False would require a value for this field.

Adding Email and Provider Fields

Next, we introduce new fields to store the user's email and the provider (e.g., google). These fields are crucial for identifying OAuth users and managing their authentication details.

The email column stores the user's email address, while the provider column indicates the authentication provider. The default value for provider is local, distinguishing between local and OAuth users. When a user is created without explicitly setting the provider field, it will automatically be set to local.

OAuth Identity Strategy: Educational Simplification

⚠️ IMPORTANT NOTE FOR PRODUCTION

In this course, we use email addresses to identify OAuth users for learning simplicity. Our mock implementation has fixed test users with stable emails, so this approach works fine for educational purposes.

However, in production applications, email-based lookup has critical limitations:

  • Emails can change - Users can update their email at the OAuth provider, breaking the link
  • Not unique across providers - Same person might use different emails on Google vs GitHub
  • Unverified emails - Not all providers verify emails

Production Best Practice: Use the provider's immutable user ID (the sub claim in OpenID Connect) combined with the provider name:

This ensures each user has a permanent identity that survives email changes. For this course, we stick with email-based lookup to keep the focus on OAuth flow mechanics.

Exploring Data Types and Default Values

Understanding data types and default values is crucial for a robust user model. Let's explore these concepts in the context of our OAuth modifications:

  • Data Types. We use String for fields like username, password, email, and provider. This ensures that these columns store string values, which are appropriate for user information. For the id field, we use Integer since it stores numeric values.
  • Default Values. The provider column has a default value of local, indicating that users are local by default unless specified otherwise. This helps distinguish between local and OAuth users without requiring explicit specification during user creation.

In this snippet, we first define a Python enum class Role that inherits from PyEnum. This enum defines the possible values for the role field. Then, in our User model, we create a column using SQLAlchemy's type, passing in our Python enum class. The parameter ensures that new users are assigned the role by default. This approach provides type safety and ensures that only valid values can be stored in the database, enhancing the functionality and security of our .

Conclusion and Next Steps

In this lesson, we explored how to modify a user model to accommodate OAuth authentication. We discussed the basic structure of the user model using SQLAlchemy, explained why OAuth users don't need passwords through the OAuth flow, and implemented changes to support OAuth users. These modifications, including making the password optional and adding fields like email and provider, ensure a flexible and secure user model.

As you move forward, practice exercises will reinforce these concepts, allowing you to apply what you've learned. In the upcoming lessons, we'll continue to build on this foundation, exploring more advanced topics in OAuth implementation. Keep up the great work, and let's continue this exciting journey together! 🎉

Previous
Next
Sign up
Join the 1M+ learners on CodeSignal
Be a part of our community of 1M+ users who develop and demonstrate their skills on CodeSignal