I am writing integration tests for my controllers..
Now, we have token validation enabled in our application (for azure). How should it be handled in integration test?
Is it good to get some mock token logic to generate a mock token with appropriate roles or should we use some test credentials for which we can get a real token and then use it for testing?
Related
I have noticed that when authenticating with my auto-generated Swagger UI client, I do not have access to custom Auth0 permissions—and, in fact, the access token being used to make authenticated requests to my resource server is actually "opaque" (not a valid JWT).
I am using Auth0 as my authorization server abstraction. According to Auth0's docs, one must always pass audience in the POST request body when generating a JWT via the client credentials flow.
Going through the the flow by making the various API calls manually, I can generate the JWT correctly. The issue lies in there not being an obvious way to pass the audience to Auth0 when using the auto-generated Swagger UI client—any ideas?
Library versions:
Spring Boot starters (e.g., rest, jpa, web)
org.springdoc:springdoc-openapi-ui 1.3.9
org.springdoc:springdoc-openapi-data-rest 1.4.0
Update
I have realised that it is possible to provide a default audience for an entire Auth0 tenant, so I set this to be the same audience for my lone API. I am also able to obtain a valid token with scopes included on behalf of the Swagger UI application if I specify the grant type as client credentials (normally reserved for machine-to-machine auth). However, I can see from the Auth0 logs that the flow being used by the Swagger UI client is authorization code.
Looking for suggestions on how to go about with microservices authorisation.
I'm using the spring/spring boot for all them microservices
I'm able to authenticate via spring cloud gateway before reaching the actual microservices using JWT tokens however when it comes to authorisation i'm unsure on how to do it.
I would like handle the authorisation internally for each of the endpoints in the business microservice.
Is there a way to pass the JWT token to the microservice or do i need to call the authserver to get the roles within the user ?
Actually, both works.
You can put the roles in the token, when you need it, decode it. Or decode it in the gateway and pass it all the way.
If you don't want to put too much data in the token, you can call the auth server as needed.
I have Okta App's client id and secret key and I would like to know how to generate access token using spring default classes and not by hitting the API endpoint.
Please provide the spring pre-defined classes to which I can provide the client id along with secret and the access token is generated.
You are dealing with server to server authentication. You don't actually explicitly need access token, use oauth2resttemplate for all requests just to have things under control.
You could implement as is from link: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
Currently, I am working on a project on Spring Boot where we are integrating with external REST API. As part of our integration suite test, we are doing the mock test of the actual external API which executes as part of the CI/CD.
My question is in production it calls the actual API so, how we can do that in the test environment. I don't think we need to make the actual external provider call during multiple integration test which will load the external API, also at the same time would like to test with actual REST response from the service.
Any suggestions?
If the public API has a swagger description, you could use the Atlassian Pact Swagger Validator. I describe the workflow in this talk: https://www.youtube.com/watch?v=79GKBYSqMIo#t=39m10s
Another alternative would be to create a mock API for the external service. There are some free services like https://mockfirst.com, https://www.mockable.io/, etc. where you can do that.
I have a web application, running with Spring Boot. Now I have to write tests with Rest Assured.
However, for running some of them I have to be authenticated on the server. Server uses google oauth authentication. Is there any way to mock session with rest assured?
Documentation doesn't say a lot about this and ways covered there don't help.
when()
.sessionId("id here")
On the server side I'm using HttpSession with userId parameter inside.
I have found a solution.
RestAssured (since 3.0.0) has integration with MockMvc and session mocking could be reached through calling something like
given().sessionAttr("name", value)