Script based testing in browser based auth scenario

Question

We have a web api where auth token is generated after invoking a browser based authentication. How can this be automated via script in a CI/CD pipeline where there wouldn't be a user action

Answer 1

The details depend on your concrete technology stack, but you will have to use a headless browser, as pointed out in the comments. This is a software that behaves like a browser but doesn't have a UI and is controlled through scripts. Have a look at cypress.io as they have a really good tool for what you need.

You can have a look at this example we've created at Curity: https://github.com/curityio/redirect-action-example/blob/master/tests/cypress/e2e/authenticationAction.cy.js This shows a Cypress test that performs user authentication through a headless browser and gets an ID token from the response.

In this repo you will also find a definition of GitHub Actions workflow, so you can check how we put all these together and test via GitHub Actions.

If your authentication flow is a simple one, you can actually script it using curl commands. Curl is able to send and receive cookies, so it can mimic browser requests. With curl you will have to hardcode what requests are being sent and their model, so it might be a bit more tricky with some complicated flows. Here's another example we've created at Curity, where curl is used to perform the login flow: https://github.com/curityio/oauth-agent-kotlin-spring-fapi/blob/master/test/login.sh

Answer 2

Have you considered unit-testing API (resource-server) access control with mocked identities instead of writing end-to-end tests involving at least three OAuth2 actors (resource-server, authorization-server and client)?

This would be much simpler, faster and stable.

If you are using Spring framework for your API, visit this repo. I have quite a few samples and tutorials covering most OAuth2 possible configuration options with Unit and integration tests focused on access-control.