I have a system that is using Firebase authentication with Google provider. I have an issue with automating integration tests for API. Tests are represented by a bunch of HTTP requests (Postman collections). I need to do some steps before tests to get a token from Firebase.
Only solution I can see is to add refresh token to the tests and call Refresh token endpoint to get a new token. Not sure how long will the refresh token live. Doesn't look like a good solution. E2E frameworks like Selenium are not an option.
What I want to achieve in the ideal scenario:
The input for the test is username/password for Google account and maybe settings pointing to the correct Firebase project. I need to perform some
magic HTTP requests (without user interaction) to get Firebase token back.
Does anyone knows if that is feasible? If not - how this flows can be automated without Selenium?
Related
I can trying to fetch the oauth2 token from token url .I am using authorisation code flow in Oauth2 .
For the token url call ,mandatory parameter is code.
So I need to do a get call on authorization url and get the code.
In postman while doing the authorization call I am getting redirect page(ui to enter credentials)
.Is there any other way to fetch the token using this flow without going through ui as this is specifically testing api
This is for API Automation Testing.
Microsoft documentation attached - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
It is not easy in OAuth to get a token for a user for automated test scenarios. Authorization Code Flow requires redirects to be followed and complex slow code
Usually you do not want to test Azure AD itself because it is not your code.
One simpler option for automated tests is to use Resource Owner Password Grant to get a token as a user via a simple HTTPS POST. It is not recommended to use this in real UIs though.
I'm using keycloak to let my users authenticate with my application. And i am trying to migrate some functionality to a few plugins, e.g. a wordpress plugin. For these plugins i want to use a generic solution so I found the following authentication process from Microsoft (https://learn.microsoft.com/en-us/office/dev/add-ins/develop/auth-external-add-ins#middleman-services) and Adobe ( https://adobexdplatform.com/plugin-docs/tutorials/how-to-integrate-with-OAuth/).
I managed to hack my way around the process to get this working with keycloak. But at this moment I'm a bit concerned about the security risk that go with this process.
The process in steps
the (plugin) client asks to backend server to generate a code to identify the user.
the (plugin) client start polling the backend for an authentication code (no response yet, since the user is not logged in yet).
the plugin opens a browser window or tab with the keycloak loginpage. Everything is the same as the normal process, but this time we add an redirect uri with the code generated in step one, which identifies the user.
once the user is logged in the user gets redirected in the browser to an endpoint where the code from step one is linked to the access token retrieved in this step.
the polling from step 2 now returns the access token to the (plugin) client.
The reason I need to poll for the access token is because I want to make a generic login process for all client.
In short, I want to know what the security risks are, given the steps above. Also I can not seem to find any information of keycloak that they want to implement such feature. Does anyone know if they want to implement this, since many other plugins do offer tis feature to authenticate outside the plugin with a popup window and retrieving the accesstoken by "polling" the server.
Thanks for the help.
This question already has answers here:
How do I authorise an app (web or installed) without user intervention?
(2 answers)
Closed 5 years ago.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground). It's an app to be run only for my account, in headless mode, on a trusted machine, to manage my cluster.
NOTE: must not require any proprietary software installations (e.g. the Google SDK).
Google provides an API Client Library for Java, which itself depends on an OAuth client library.
For the project of 9Cards launcher for Android, within the back-end, we had to use this library to fetch applications usage statistics from Google Analytics. In our code, because it is a case of "server to server" authentication, we use a Service Account's credentials. The code issues a request from Google a short-lived OAuth2 Auth Token. The library may provide similar features if you use a Client-ID and Client-Secret.
Regarding the issue of licenses, the library is published under Apache License v2, so in that regard it is not too proprietary.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
Good start. I guess by "the JSON API endpoints" you mean the Google APIS. Make sure you created OAuth Client IDs and not one of the other options.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
Yes the OAuth Playground will do that for you. The detailed steps and sample code to consume the token is at How do I authorise an app (web or installed) without user intervention? (canonical ?)
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground).
Follow the steps linked to above and you will see that you don't need to write any code at all. Once you have the refresh token (a one time procedure), you're all set. I exaggerate slightly, you do need one line of code to post the refresh token to the Google Oauth endpoint to fetch an access token. See the bottom of the linked answer for an example. Or you could just compose a curl to do it from the command line and put the Access Token into an environment variable.
I just wanted to avoid the whole thing and get a code printed on the screen
A bit like https://youtu.be/hfWe1gPCnzc?t=198
I am writing a project that lets users implement login integration for multiple web services (e.g. Google, Facebook etc.) to his/her website. I see Facebook allows us to manually build a login flow. Using this I can code everything myself and also let users use the script just by configuring it a bit (like setting app_secret and app_id). I am looking for a similar thing in Google. I don't wanna use the SDK because if I do that for multiple OAuth providers, then I think I'll mess things a lot. I also want to keep the client (JavaScript) side code at a minimum. So, can I build a manual login flow for Google, as I can for Facebook?
This information is given on the following page: https://developers.google.com/identity/protocols/OAuth2UserAgent (select the OAUTH 2.0 ENDPOINTS tabs)
Some excerpts:
The OAuth endpoint is https://accounts.google.com/o/oauth2/v2/auth
Token is returned like this: https://oauth2.example.com/callback#access_token=4/P7q7W91&token_type=Bearer&expires_in=3600
You can validate the token by using the tokeninfo endpoint: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>
I've an ETL tool that is capable of making REST API calls against the Yammer network and retrieving data for analysis. Currently, how I make Yammer REST API calls is through an App that I've created. I then generated the authentication token and then used this token in the REST API calls to get at the data.
What I'd really like to do now is to provide an app that allows me to call the REST API (using the same ETL tool) without the person installing the app to have to go through the rigmarole of generating the auth token.
I suppose one approach could be to use some JavaScript that displayed the token to the user so that they could then pass it on to us... Do you folks have any other suggestions as to how I might do this?
There isn't a recommended way to skip the OAuth authorization, but you can automate a lot of it away. I created a Python script that uses the YamPy library to acquire a token. It even fires up the browser to the correct URL for authorization. You should be able to do something similar with other languages.
Calling the impersonation endpoint is another possibility. This will get you an OAuth token for another user so you'd need to have an app is just for producing OAuth tokens. It's probably a bit trickier to build right and secure than my script. Impersonation was designed for a specific category of app which means I don't recommend it by default. Even when it is a workable option it hides the authorization from end users which can potentially be a security issue, if say you app is compromised and handing out OAuth tokens. At least if the Yammer screen is in the way it's a bit more visible to the user what is happening.