5

I have began learning OAuth2 Spring Security from one week so excuse me, if question is to easy. The topic seemed easy even to me till I started working on it. I am going to write tests for Rest endpoints in my application. In order to do that I am going to write tests for my resource classes. But my application is using OAuth2.

First idea was to configure separate Authorization Server extending AuthorizationServerConfigurerAdapter for this tests. I have configured ClientDetailsService to persist in memory and added InMemoryTokenService. But it does not work. Response was 401 - Unauthorized.

Now I am thinking only to privide bean DefaultTokenServices and somehow omit Authorization Server (but how?). I did not change anything in 'production' Resource Server.

I know how to add bearer token. I am writing my tests using OAuth2RestTemplate and I am adding Access Token to OAuth2ClientContext. I create access token using conctructor DefaultOAuth2AccessToken(String value). I know there is TestRestTemplate but OAuth2RestTemplate seems better to me in this case. I am using Spring Boot, maybe that will help?

My questions are: 1. What is the best solution? What is the best way to configure OAuth2 in order to perform Rest endpoints tests? How to perform tests without Authorization Server? Maybe my understanding is inappropriate? 2 Is there any way to mock requests to Authorization Server? How to do that?

Thanks in advance for cooperation.

I have read a lot of materials including: http://projects.spring.io/spring-security-oauth/docs/oauth2.html but nowhere I have found answer.

marciano
  • 71
  • 5

1 Answers1

0

Little more info required to provide accurate answer:

  1. are you writing unit or integration tests ?

If unit-tests, you shouldn't bother with an authorization-server at all. All you want is a correctly set-up SecurityContext for your mockMvc query (or reactive equivalent).

If integration-tests, Spring provides with tooling for that, but I'll focus on unit-tests as it's what I understand you're trying to write.

  1. what versions of spring libs are you using?

spring-security-oauth2 is deprecated and has no support for unit-tests but I detailed in the answer to this other question how to create annotations to configure such a security context.

From version 5.2 (pick latest milestone), spring-security-test has basic support for unit-testing @Controller secured with JWT. If you are using introspection or secured @Service, you'll have to refer to this lib I wrote as spring-security team chose to integrate only a small part of my work.

ch4mp
  • 6,622
  • 6
  • 29
  • 49