This is part 2 of a 2 part series on OAuth 2.0 for software testing.
Testing OAuth 2.0 manually using POSTMAN
Let’s take a real world example of an API test where as a tester you have to validate existence of an image file on users Imgur account. Imgur is an online image sharing community. The Imgur API uses OAuth 2.0 for authentication. It contains four steps: registration, authorisation, making the request, and getting new access tokens after the initial one has expired. Note that for this test we are going to use ‘Authorisation Code’ grant type and assume that an image is already added by the user.
Imgur has already exposed an API to access images for outside world. The end point is https://api.imgur.com/3/account/me/images
As a first step one needs client id and client secret for your application. You can get them by filling up this simple form https://api.imgur.com/oauth2/addclient
Now let’s create a GET method API under new collection in postman with above end point and hit the request. You will initially get 401 unauthorised status code. The reason being we have not provided any authorisation to the end point.
In order to provide authorisation lets add an account and create oAuth 2 authorisation token with following details.
Callback URL: {same URL that you used during creating client_id and secret} https://www.getpostman.com/oauth/callbackAuth URL: https://api.imgur.com/oauth2/authoriseAccess Token URL: https://api.imgur.com/oauth2/tokenClient ID: {obtained when you subscribe your app at Imgur service}Client Secret: {obtained when you subscribe your app at Imgur service}Grant Type: Authorisation CodeType: OAuth 2.0Token Name: Imgur Sample Token
Click ‘Get New Access Token’ button. It will open a postman window where you enter your registered user credentials on Imgur. Now click Allow button.
You will see a message saying Authentication Complete. Your access token along with refresh token will be visible in the postman account. Simply add this access token to your account.
Go back to your previous GET request API and select the ‘Imgur Sample Token’ we created above.
That’s it. Click ‘Send’ and you will get the 200 OK response and you can see the details of the image file in the response body.
Congratulations you have successfully tested authorisation using oAuth 2.0.
Writing automating scripts for OAuth 2.0
Scripting the end to end test can be little complicated. In the above example, postman tool took care of constructing the required web URL automatically which eventually allowed us to authenticate on Imgur site by entering valid user credential. If you are using any automation library like RestAssured you will need to construct your URL by gathering required parameters for the login UI page. RestAssured itself cannot launch the webpage on any browser. Here you need some additional tools like selenium to take care of UI automation. Selenium can be easily integrated with RestAssured framework under one project which makes our job easier.
First of all, let’s begin by writing the code to launch the web URL. The Authorisation URL can be easily constructed using the Auth end point specified on the Imgur API documentation site. You simply need to add the required parameters mentioned on the API contract such as response type, client_id and redirect_uri, etc.
Now you can start automating script by creating maven project and add RestAssured and Selenium dependencies. Your code to handle the web browser looks like this. It will launch the chrome browser, open the constructed webpage and pass user credentials.
After authentication, it will then capture the code value rendered in the browser and store in a variable.
Once we get the code value, we can start automating our first end point i.e. token end point. We can pass the code captured above as one of the mandatory body parameters to the POST request.
Create a JsonPath object and extract the needed response as string.
Congratulations! You have successfully received the ‘access_token’. In your final piece of program, you can hit the GET request for images. The request will use this access_token as one of its mandatory header parameters.
You have reached the end of your automation test. Above code will perform validation on the images end point and ensure that response contains the image details uploaded by the user initially. Isn’t testing fun?
Summary
Among the various grant types, the Authorisation Code grant type is probably the most common of the OAuth 2.0 grant types that you’ll encounter as it is widely used with traditional web app. Testing OAuth may seem little complex as you begin however it is very simple once you have written your first test. It is always a good practice to start writing your test using postman or SOAP UI to get familiarised with APIs before you start automating them. Remember, reading API documentation a.k.a. API contract is crucial whether you are testing via postman or automation scripts. So ask for it before you begin your testing. If it does not exist for your project get the needed details from developers.
About the Author
Sachin Shinde has more than thirteen years of software quality experience. He has worked on a wide variety of products including insurance, health, retail energy, credit risk and banking. Sachin is self-driven and highly motivated in his work. His clients always seek his consultancy in software quality management and test automation. Sachin enjoys writing technical articles, blogs. He is an aspiring speaker at London Java Community (LJC) and a certified scrum master. Sachin is currently working as Senior Test Engineer with Wipro Ltd, UK.
Check out all the software testing webinars and eBooks here on EuroSTARHuddle.com
