Testing IS-10 Authorization
←Usage - Testing BCP-003-01 TLS · Index↑ · Usage - Testing of SDP Files→
Most of the test suites can be run in a mode where authorization is required according to IS-10 / BCP-003-02.
This is enabled by setting ENABLE_AUTH
to True
.
In this mode, every request which is made by the testing tool will include a JSON Web Token issued by the testing tool’s mock authorization server, which should grant it access to the API under test.
Test suites which include ‘mocks’, most notably the IS-04 Node API suite (which include a mock registry), also require valid Access Tokens to be presented to the mock APIs by the OAuth Client (Node or Controller) under test.
Note that whilst the testing tool does not prevent authorization testing from being carried out with ENABLE_HTTPS
set to False
, this is for debugging purposes only. Production environments must never use authorization without TLS.
There are a number of additional configuration parameters required depending on the OAuth 2.0 options used by the OAuth Client under test.
-
If the OAuth Client uses
private_key_jwt
client authentication, setJWKS_URI
to its JSON Web Key Set endpoint. -
If the OAuth Client uses the Authorization Code Grant, the mock Auth server redirects the user-agent back to the client with the authorization code. If the
redirect_uri
is not provided by the client during the authorization code flow, setREDIRECT_URI
to the appropriate endpoint. -
If the OAuth Client does not specify its required
scope
when requesting an Access Token, setSCOPE
to configure the default scopes issued by the mock authorization server as a space-separated list of scope names, e.g. “connection node events”. Supported scopes include “connection”, “node”, “query”, “registration”, “events”, “channelmapping”.
←Usage - Testing BCP-003-01 TLS · Index↑ · Usage - Testing of SDP Files→