3

I have a .net web api app with owin security. The security middleware is configured with Google authentication (no local username/password authentication) and Oauth bearer token.

In startup:

public void ConfigureAuth(IAppBuilder app)
{
   ...
   app.UseOAuthBearerTokens(new OAuthAuthnorizationServerOptions {
      TokenEndpointPath = new PathString("/token"),
      AuthorizeEndpointPath = new PathString("/account/authorize"),
      Provider = new ApplicationOAuthProvider("web"),
      ...
   });

   app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions {
      ClientID = "...",
      ClientSecret = "..."
   });
}

From my client applications I go to 

http://myapp.com/account/authorize?client_id=web&response_type=token&redirect_uri=...

This redirects to a google login that the user fills in, then back to my app with a bearer token that I peel off and add to request headers for my api.

I would like to write some integration tests where my tests call the API. The tests have the google credentials of a test user, but I am not sure how to have the test authenticate without bringing up a browser and a google login screen. I could drive that with Selenium but that seems heavy-handed.

How do I programmatically get a bearer token to use with my API such that I can impersonate my test user?

fredw
  • 1,409
  • 12
  • 23

1 Answers1

1

Normally you would use the OAuth2 resource owner password credentials grant in this case, but Google does not seem to support that.

So your best option seems to be to use the authorization code grant to authenticate the test user, extract the refresh token from the token endpoint response. Then use the refresh token and client ID and secret to get an access token from your integration test.

See this for more information: https://developers.google.com/identity/protocols/OAuth2InstalledApp

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • I tried but it didn't work. I get a Google bearer token this way that I pass in on the Authorization header (Authorization: Bearer xxx) but it redirects to /authorize/login. I think the problem is that I need an Owin/.net bearer token (OAuthAuthorizationServerProvider) not a Google bearer token? – fredw Dec 03 '15 at 21:40
  • Are you sure you're passing in the correct JWT token? You should be able to see what's inside the token by pasting it into the encoded text field here: http://jwt.io/ – MvdD Dec 04 '15 at 03:54
  • Yes, the JWT is ok according to jwt.io - it's a valid google token and I can use it for Google APIs but not for my own API. – fredw Dec 04 '15 at 23:06
  • Check the 'aud' claim in the token. It should match what you configured your middleware to expect. – MvdD Dec 04 '15 at 23:41