4

I have an API that uses another API (example google calendar API) which is authenticated with OAuth 2. 

httpRequest => MyApi under test => uses external Oauth2 enabled API

If the "Oauth2 enabled API" were using HTTP basic authentication, I could just hardcode the username and password somewhere to test the application —using the username and password of a test user created in the external APP that exposes the API that I am using.

As with Oauth2 we require the user to consent (the user is usually redirected to a web page) to ask them for consent to the app to access their data through the API.

I just want to create simple Integration Test: For example, my API creates an event in the google calendar, then deletes it for cleanup, but without human intervention.

Is this possible and how?

Improve this question

2 Answers 2

Reset to default
1

I've been wondering about the best way to do this myself. So far I've found a few of options:

  1. Use the password grant type, to authenticate as a user. This is apparently no longer recommended as per best practices, but that's for end-users. Not for testing.
  2. Use the client_credentials grant type, to authenticate as the app itself. The problem with this is that if your test depends on being able to retrieve user data, the app won't have any associated to itself, unless you manipulate it beforehand.
  3. Request a refresh_token, to re-authenticate as a previously authenticated user. This is done by requesting the offline_access scope. A user will have to do the first authentication, get a refresh token and provision the test script with it. The script then must be able to keep updating itself with a fresh refresh token each time it runs. And if the refresh token should expire before the next run, human intervention will be required again.
  4. Use the device_code grant type to poll for end-user consent elsewhere. This is like what YouTube uses to pair your SmartTV, whereby you start the login on your SmartTV and consent to it with a pairing code on your mobile device. Here, human intervention is required as well for the consent, at least the first time, and then again should the consent expire.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If you're developing an API, then your tests should be against that API only. You are not responsible for the work done in the external Oauth2 API, the author of that API is. Only test your own code.

Which means, you should find a way to mock out the calls to the external API if possible.

Improve this answer

3 Comments

ok you are right. but what if i want to unit test my own oauth2 api and check that everything works in an automated fashion. and also i will need to test more api, so mocking them will be a big effort. relying on a test account, i thought it would be easier
Automated Unit Testing is supposed to be done on your code unit, not on the whole process. That's what integration testing is for. The same way you mock any database access during normal unit testing (even if seems easier to use a test database), you'll need to mock the external API access during yours. The less "external" code your test actually runs, the better.
ok, unit test was not the right word, i totally agree. so let s talk about integration test. how to test integration with other oauth2 enabled api. is there a way to do that without using a tool like selenium?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.