Project 19: OAuth + External SaaS Integration Plugin

A plugin that authenticates with a SaaS platform via OAuth2 + PKCE, stores tokens securely, refreshes automatically, and handles rate limits/retries gracefully.

Quick Reference

Attribute	Value
Difficulty	Level 5
Time Estimate	24-40h
Main Programming Language	TypeScript
Alternative Programming Languages	JavaScript, Go, Python
Coolness Level	Level 5 (Production integration depth)
Business Potential	Level 5 (Enterprise integration monetization)
Prerequisites	OAuth 2.0 authorization code flow + PKCE, Secret lifecycle states, Rate-limit and retry policy design
Key Topics	Auth flows, token lifecycle, API resilience

1. Learning Objectives

By completing this project, you will:

Build a production-quality implementation of OAuth + External SaaS Integration Plugin.
Apply concept boundaries around OAuth 2.0 authorization code flow + PKCE, Secret lifecycle states, and Rate-limit and retry policy design.
Validate behavior with explicit outcomes and failure-mode tests.
Produce evidence artifacts suitable for review, support, and iteration.

2. All Theory Needed (Per-Concept Breakdown)

2.1 OAuth 2.0 authorization code flow + PKCE

Fundamentals: This concept defines the first architectural boundary for this project. You should know the invariant conditions that must remain true during normal operation and failure operation. In Stream Deck plugin work, the most useful mindset is to treat interaction paths as explicit contracts, not ad-hoc callbacks, so behavior remains deterministic under context churn and profile switching.
Deep Dive into the concept: For this project, OAuth 2.0 authorization code flow + PKCE is where correctness begins. Model state transitions explicitly, define allowed events, and reject illegal transitions early. Tie every side effect to context identity and traceability fields so debugging can reconstruct the full sequence. Design your test plan around race-prone paths first. Add failure classes and recovery transitions before polishing UX. This creates robust behavior under load and avoids hidden coupling across action instances.
How this fit on projects: This concept is the primary driver of runtime correctness in this project.
Definitions & key terms: invariant, transition contract, failure class, recovery path.
Mental model diagram:

Intent -> Validate -> Reduce -> Persist -> Render
  ^                                       |
  +--------------- Recover/Retry <--------+

How it works: model inputs, validate boundaries, reduce deterministic state, emit minimal side effects, then observe and recover.
Minimal concrete example:

PSEUDOCODE
if !isValid(event, state):
  return rejectWithHint()
next = reduce(state, event)
apply(next)

Common misconceptions: fast prototypes do not remove the need for explicit invariants.
Check-your-understanding questions: Which invalid transition causes highest user impact? Why?
Check-your-understanding answers: Any transition that mutates irreversible state without confirmation.
Real-world applications: production plugins that must survive long sessions and rapid profile switches.
Where you will apply it: project runtime handlers and teardown logic.
References: Stream Deck SDK docs + main sprint Theory Primer concepts 1/2/6.
Key insights: deterministic state design scales better than callback patching.
Summary: make invalid states unrepresentable and observable.
Homework/Exercises to practice the concept: draw one transition table and one failure table.
Solutions to the homework/exercises: each transition/failure should map to explicit UI feedback and test case.

2.2 Secret lifecycle states

Fundamentals: Secret lifecycle states handles data integrity and long-lived behavior. Treat user configuration, entitlement, and environment state as a schema-governed domain.
Deep Dive into the concept: Build validation at every boundary: PI input, backend receive, persistence write, and migration load. Use explicit versioning and conflict policy so stale updates cannot silently win. If sensitive fields exist, isolate them through secret-safe adapters and redact all diagnostics. This prevents corruption, race bugs, and support incidents that usually appear only after release.
How this fit on projects: ensures reliable persistence and predictable restart/recovery behavior.
Definitions & key terms: schema, migration, revision, redaction.
Mental model diagram:

Input Delta -> Merge -> Validate -> Version -> Commit -> Observe

How it works: merge safely, validate strictly, commit atomically, expose clear error feedback.
Minimal concrete example:

PSEUDOCODE
merged = merge(prev, delta)
assert schemaValid(merged)
save(merged, revision+1)

Common misconceptions: compile-time types are not runtime safety.
Check-your-understanding questions: Why must backend revalidate PI values?
Check-your-understanding answers: PI can be stale/malformed; backend is source of truth.
Real-world applications: paid plugins, sync features, and multi-account integrations.
Where you will apply it: persistence, entitlement checks, and API credential handling.
References: Stream Deck settings/secrets docs + RFC security guidance where applicable.
Key insights: data integrity is a user-visible feature.
Summary: strict boundaries prevent expensive post-release bugs.
Homework/Exercises to practice the concept: define v1/v2 schema and migration tests.
Solutions to the homework/exercises: include defaults, backward compatibility, and rollback path.

2.3 Rate-limit and retry policy design

Fundamentals: Rate-limit and retry policy design translates implementation quality into user trust, adoption, and maintainability.
Deep Dive into the concept: Build release and support workflows in parallel with features. Define observability schema, packaging checks, and non-functional budgets (latency, memory, retry behavior). Add diagnostics UX so users can self-report actionable data. If this project targets commercial outcomes, connect operational quality to listing confidence and retention. For hardware-diverse use cases, ensure adaptive behavior is explicitly tested across capability subsets.
How this fit on projects: provides the delivery and sustainment layer beyond core functionality.
Definitions & key terms: SLA mindset, supportability, release gate, degraded mode.
Mental model diagram:

Feature Build -> Validation Gate -> Pack/Release -> Observe -> Support -> Improve

How it works: define quality gates, ship artifacts, monitor signals, feed incidents back into design.
Minimal concrete example:

PSEUDOCHECKLIST
validate pass
smoke install pass
diagnostics export pass
rollback artifact present

Common misconceptions: once it works locally, release risk is low.
Check-your-understanding questions: Which quality gate catches packaging regressions earliest?
Check-your-understanding answers: deterministic CLI validate/pack + smoke install checks.
Real-world applications: marketplace submission, enterprise team deployment, paid support.
Where you will apply it: release checklist, diagnostics, and post-launch iteration.
References: Stream Deck CLI docs, marketplace docs, and reliability references.
Key insights: sustainable plugins are operated products, not one-off scripts.
Summary: build supportability and release discipline into the first milestone.
Homework/Exercises to practice the concept: create one pre-release gate matrix and one incident response runbook.
Solutions to the homework/exercises: each gate/runbook step must include pass/fail evidence.

3. Project Specification

3.1 What You Will Build

A plugin that authenticates with a SaaS platform via OAuth2 + PKCE, stores tokens securely, refreshes automatically, and handles rate limits/retries gracefully.

3.2 Functional Requirements

Implement all user-facing behaviors listed in the source sprint project.
Preserve deterministic state behavior under context churn and restart.
Enforce boundary validation for configuration and external events.
Expose clear feedback for success, pending, and failure modes.
Provide release/support artifacts aligned with project scope.

3.3 Non-Functional Requirements

Performance: Remain responsive under expected event rates for this project.
Reliability: No orphaned timers/subscriptions after teardown paths.
Usability: Users can understand current state from key/PI feedback quickly.
Supportability: Logs and diagnostics must be actionable and redacted.

3.4 Example Usage / Output

“How do I make OAuth integrations feel invisible to the user while preserving security and reliability guarantees?”

3.5 Real World Outcome

User flow:

User clicks “Connect Account” in Property Inspector.
Browser opens provider consent screen.
Callback returns to plugin; account status changes to Connected.
Action key now triggers real SaaS operation (e.g., create issue / start workflow).
Token expiration happens in background; refresh occurs without user interruption.

If provider returns 429 or transient 5xx, key state switches to warning mode with retry countdown instead of hard failure.

4. Solution Architecture

4.1 High-Level Design

Stream Deck Events -> Runtime Reducer -> Capability/Policy Layer -> Side Effects
        ^                                                          |
        +---------------------- Diagnostics/Observability <--------+

4.2 Key Components

Action Runtime Layer: Handles event routing, context scoping, and state reduction.
Policy Layer: Applies validation, feature gates, retries, throttles, and safety rules.
Feedback Layer: Produces deterministic key/dial/PI feedback from canonical state.
Persistence/Integration Layer: Manages settings, secrets, sync, and external API boundaries.

4.3 Design Questions (From Sprint)

Auth flow boundaries
- Where is CSRF/state token verified?
- How do you bind callback to the correct action/account context?
Resilience behavior
- How many retries are allowed per error class?
- How will users see degraded mode vs auth failure?

5. Thinking Exercise (Before Building)

Build an Auth Failure Table

For each failure (invalid_grant, expired refresh token, network timeout, 429), define expected state transition, user message, and retry behavior.

6. Implementation Hints in Layers

Hint 1: Starting Point

Implement auth state machine before writing API endpoints.

Hint 2: Next Level

Separate token storage adapter from API client adapter.

Hint 3: Technical Details

PSEUDOFLOW
authStart -> consent -> callback verify(state, codeVerifier) -> exchange -> persist secretRef -> ready

Hint 4: Tools/Debugging

Capture one correlation ID spanning PI click, callback receipt, token exchange, and first API call.

7. Verification and Testing Plan

Unit-level: transition validity, schema validation, and policy decisions.
Integration-level: PI/backend flow, persistence/restart, and dependency adapters.
Failure-level: network/auth/retry/teardown behavior under injected faults.
Release-level: validate/pack/smoke workflow and artifact integrity checks.

8. Interview Questions

“Why PKCE instead of implicit flow?”
“How do you handle refresh token rotation safely?”
“How is rate-limit state surfaced on-device?”
“What data do you redact in logs?”
“How do you test callback replay attacks?”

9. Common Pitfalls and Debugging

Problem 1: “User connected, but actions fail minutes later”

Why: Access token expires and refresh flow is missing/fragile.
Fix: Implement refresh scheduler with expiry buffer and fallback re-auth state.
Quick test: Shorten token TTL in sandbox and verify seamless renewal.

10. Definition of Done

OAuth2 + PKCE flow completes with anti-CSRF/state validation.
Token refresh is automatic and race-safe.
Secrets are stored through secure channel, never plaintext settings.
Rate limits are handled with backoff + user-visible status.
Retry strategies are defined per error class.
Error states degrade gracefully and recover predictably.

11. Additional Notes

Why this project matters: Real paid plugins win by integrating external services safely and reliably.
Source sprint project file: P19-oauth-external-saas-integration-plugin.md
Traceability: Generated from ### Project 19 in the sprint guide.