Project 6: App-to-App Account Linking with PKCE

Implement secure linking with low friction and clear recovery paths.

Quick Reference

Attribute Value
Difficulty Level 3 (Advanced)
Time Estimate 1 week
Main Programming Language TypeScript
Alternative Programming Languages Python, Java
Key Topics OAuth code flow, PKCE, progressive scopes

1. Learning Objectives

  1. Implement authorization code flow with PKCE end-to-end.
  2. Design progressive scope acquisition tied to user value.
  3. Build robust token-expiry and token-revocation recovery UX.

2. All Theory Needed (Per-Concept Breakdown)

Concept A: PKCE Security Model

  • Use code_verifier and code_challenge to prevent interception attacks.
  • Validate callback integrity before token exchange.
  • Explain scope purpose in plain language.
  • Ask only when capability is invoked.

3. Architecture and Build Plan

  1. Configure provider and linking metadata.
  2. Implement callback handler and token persistence.
  3. Add auth funnel instrumentation.

4. Validation and Testing

  • Link and relink paths succeed.
  • Expired token triggers recovery prompt.
  • Revoked token path requires relink and succeeds.

5. Troubleshooting

  • Symptom: consent succeeds, skill still unauthorized.
  • Fix: verify callback state checks and token storage transaction.

6. Deliverables

  • OAuth sequence diagram.
  • Scope request plan.
  • Auth funnel dashboard.

7. Stretch Goals

  • Add anomaly detection for suspicious token activity.