Bird
Raised Fist0
FastAPIframework~20 mins

OAuth2 password flow in FastAPI - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
OAuth2 Password Flow Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this FastAPI OAuth2 password flow token endpoint?
Consider this FastAPI endpoint using OAuth2 password flow. What will the response JSON contain after a successful login?
FastAPI
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm
from fastapi.responses import JSONResponse
app = FastAPI()

@app.post('/token')
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    if form_data.username == 'user' and form_data.password == 'pass':
        return {'access_token': 'fake-token', 'token_type': 'bearer'}
    return JSONResponse(status_code=400, content={'error': 'Invalid credentials'})
A{"access_token": "user", "token_type": "bearer"}
B{"error": "Invalid credentials"}
CHTTP 404 Not Found
D{"access_token": "fake-token", "token_type": "bearer"}
Attempts:
2 left
💡 Hint
Check what the function returns when username and password match.
state_output
intermediate
1:30remaining
What is the value of the token_type field in the OAuth2 password flow response?
Given a successful OAuth2 password flow token response in FastAPI, what is the value of the 'token_type' field?
FastAPI
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm
app = FastAPI()

@app.post('/token')
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    return {'access_token': 'token123', 'token_type': 'bearer'}
ABearer
Bbearer
Ctoken
Daccess
Attempts:
2 left
💡 Hint
OAuth2 standard uses a lowercase token type.
📝 Syntax
advanced
2:00remaining
Which option correctly defines the OAuth2PasswordRequestForm dependency in FastAPI?
Select the correct way to use OAuth2PasswordRequestForm in a FastAPI endpoint for password flow authentication.
FastAPI
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm
app = FastAPI()

@app.post('/token')
async def login(???):
    pass
Aform_data: OAuth2PasswordRequestForm = Depends()
Bform_data = OAuth2PasswordRequestForm()
Cform_data: OAuth2PasswordRequestForm()
Dform_data: OAuth2PasswordRequestForm
Attempts:
2 left
💡 Hint
Use Depends() to declare dependencies in FastAPI function parameters.
🔧 Debug
advanced
2:30remaining
What error will this FastAPI OAuth2 password flow code raise?
Identify the error raised by this code snippet when the /token endpoint is called with valid credentials.
FastAPI
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm
app = FastAPI()

@app.post('/token')
async def login(form_data: OAuth2PasswordRequestForm):
    if form_data.username == 'user' and form_data.password == 'pass':
        return {'access_token': 'token', 'token_type': 'bearer'}
    return {'error': 'Invalid credentials'}
ARuntimeError: Dependency injection failed
BNo error, returns token JSON
CTypeError: login() missing 1 required positional argument: 'form_data'
DValidationError from OAuth2PasswordRequestForm
Attempts:
2 left
💡 Hint
Check how dependencies must be declared with Depends() in FastAPI.
🧠 Conceptual
expert
3:00remaining
Which statement best describes the OAuth2 password flow in FastAPI?
Choose the most accurate description of how OAuth2 password flow works in FastAPI applications.
AThe client sends username and password to the token endpoint, which returns an access token if valid.
BThe client receives an authorization code first, then exchanges it for an access token.
CThe client uses refresh tokens only to get new access tokens without user credentials.
DThe client authenticates using API keys passed in the URL query parameters.
Attempts:
2 left
💡 Hint
Password flow involves direct username and password exchange for tokens.

Practice

(1/5)
1. What is the main purpose of the OAuth2 password flow in FastAPI?
easy
A. To allow users to log in by sending their username and password directly to the app.
B. To register new users automatically without credentials.
C. To refresh access tokens without user interaction.
D. To encrypt user passwords before storing them.

Solution

  1. Step 1: Understand OAuth2 password flow purpose

    This flow lets users send their username and password to the app to get an access token.

  2. Step 2: Compare options with flow purpose

    Only To allow users to log in by sending their username and password directly to the app. describes this direct login method; others describe different features.

  3. Final Answer:

    To allow users to log in by sending their username and password directly to the app. -> Option A

  4. Quick Check:

    OAuth2 password flow = direct login [OK]
Hint: Password flow means user sends username and password [OK]
Common Mistakes:
  • Confusing password flow with token refresh
  • Thinking it registers users automatically
  • Assuming it encrypts passwords by itself
2. Which FastAPI import is used to handle OAuth2 password flow form data?
easy
A. from fastapi.security import OAuth2PasswordBearer
B. from fastapi.security import OAuth2PasswordRequestForm
C. from fastapi.security import HTTPBasicCredentials
D. from fastapi.security import APIKeyHeader

Solution

  1. Step 1: Identify form class for password flow

    FastAPI uses OAuth2PasswordRequestForm to parse username and password from form data.

  2. Step 2: Check other imports

    OAuth2PasswordBearer is for token extraction, HTTPBasicCredentials is for basic auth, APIKeyHeader is for API keys.

  3. Final Answer:

    from fastapi.security import OAuth2PasswordRequestForm -> Option B

  4. Quick Check:

    Form data handler = OAuth2PasswordRequestForm [OK]
Hint: Password flow form uses OAuth2PasswordRequestForm [OK]
Common Mistakes:
  • Using OAuth2PasswordBearer instead of RequestForm
  • Confusing HTTPBasicCredentials with OAuth2 forms
  • Importing unrelated security classes
3. Given this FastAPI endpoint using OAuth2 password flow, what will be the response if username is 'alice' and password is 'secret'? 
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm

app = FastAPI()

@app.post('/token')
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    if form_data.username == 'alice' and form_data.password == 'secret':
        return {'access_token': 'token123', 'token_type': 'bearer'}
    return {'error': 'Invalid credentials'}
medium
A. {'access_token': 'token123', 'token_type': 'bearer'}
B. {'error': 'Invalid credentials'}
C. HTTP 422 Unprocessable Entity error
D. Empty response with status 204

Solution

  1. Step 1: Check input credentials against condition

    The code checks if username is 'alice' and password is 'secret'. Given inputs match this.

  2. Step 2: Determine returned response

    Since condition is true, it returns the access token dictionary with 'token123' and 'bearer'.

  3. Final Answer:

    {'access_token': 'token123', 'token_type': 'bearer'} -> Option A

  4. Quick Check:

    Correct credentials = access token response [OK]
Hint: Match username and password to get token response [OK]
Common Mistakes:
  • Assuming error response for correct credentials
  • Confusing HTTP errors with normal returns
  • Ignoring the if condition logic
4. What is wrong with this FastAPI OAuth2 password flow code snippet? 
from fastapi import FastAPI, Depends
from fastapi.security import OAuth2PasswordRequestForm

app = FastAPI()

@app.post('/token')
async def login(form_data: OAuth2PasswordRequestForm):
    if form_data.username == 'bob' and form_data.password == 'pass':
        return {'access_token': 'abc', 'token_type': 'bearer'}
    return {'error': 'Invalid'}
medium
A. Endpoint should use GET method instead of POST
B. Incorrect import of OAuth2PasswordRequestForm
C. Return type should be a string, not dict
D. Missing Depends() in function parameter for form_data

Solution

  1. Step 1: Check function parameter for dependency injection

    OAuth2PasswordRequestForm must be wrapped with Depends() to extract form data properly.

  2. Step 2: Verify other parts

    Imports are correct, return type as dict is valid JSON response, POST method is correct for token requests.

  3. Final Answer:

    Missing Depends() in function parameter for form_data -> Option D

  4. Quick Check:

    Use Depends() to get form data [OK]
Hint: Always wrap OAuth2PasswordRequestForm with Depends() [OK]
Common Mistakes:
  • Forgetting Depends() causes runtime errors
  • Using GET instead of POST for token endpoint
  • Thinking return must be string, not dict
5. You want to secure a FastAPI endpoint so only users with a valid OAuth2 password flow token can access it. Which approach correctly uses OAuth2PasswordBearer and token verification? 
from fastapi import FastAPI, Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer

app = FastAPI()
oauth2_scheme = OAuth2PasswordBearer(tokenUrl='token')

def verify_token(token: str):
    if token != 'validtoken':
        raise HTTPException(status_code=401, detail='Invalid token')

@app.get('/secure-data')
async def secure_data(token: str = Depends(oauth2_scheme)):
    verify_token(token)
    return {'data': 'secret info'}
hard
A. Incorrect: verify_token should return True/False, not raise exceptions.
B. Incorrect: tokenUrl should be '/secure-data' not 'token'.
C. Correct: uses OAuth2PasswordBearer and verifies token before returning data.
D. Incorrect: OAuth2PasswordBearer cannot be used with GET endpoints.

Solution

  1. Step 1: Check OAuth2PasswordBearer usage

    oauth2_scheme is created with tokenUrl='token', which is correct for password flow token endpoint.

  2. Step 2: Verify token validation logic

    verify_token raises HTTPException on invalid token, which is proper for access control.

  3. Step 3: Confirm endpoint dependency and response

    secure_data depends on oauth2_scheme to get token, verifies it, then returns protected data.

  4. Final Answer:

    Correct: uses OAuth2PasswordBearer and verifies token before returning data. -> Option C

  5. Quick Check:

    Use OAuth2PasswordBearer + verify token = secure endpoint [OK]
Hint: Use OAuth2PasswordBearer with tokenUrl and verify token [OK]
Common Mistakes:
  • Setting wrong tokenUrl in OAuth2PasswordBearer
  • Not raising exceptions on invalid token
  • Thinking OAuth2PasswordBearer can't be used with GET