Testing IS-10 Authorization
Most of the test suites can be run in a mode where authorization is required according to IS-10 / BCP-003-02.
This is enabled by setting
In this mode, every request which is made by the testing tool will include a JSON Web Token issued by the testing tool’s mock authorization server, which should grant it access to the API under test.
Test suites which include ‘mocks’, most notably the IS-04 Node API suite (which include a mock registry), also require valid Access Tokens to be presented to the mock APIs by the OAuth Client (Node or Controller) under test.
Note that whilst the testing tool does not prevent authorization testing from being carried out with
False, this is for debugging purposes only. Production environments must never use authorization without TLS.
There are a number of additional configuration parameters required depending on the OAuth 2.0 options used by the OAuth Client under test.
If the OAuth Client uses
private_key_jwtclient authentication, set
JWKS_URIto its JSON Web Key Set endpoint.
If the OAuth Client uses the Authorization Code Grant, the mock Auth server redirects the user-agent back to the client with the authorization code. If the
redirect_uriis not provided by the client during the authorization code flow, set
REDIRECT_URIto the appropriate endpoint.
If the OAuth Client does not specify its required
scopewhen requesting an Access Token, set
SCOPEto configure the default scopes issued by the mock authorization server as a space-separated list of scope names, e.g. “connection node events”. Supported scopes include “connection”, “node”, “query”, “registration”, “events”, “channelmapping”.