What is OAuth2?
- OAuth2 (Open Authorization 2.0) is an authorization framework, not an authentication protocol.
- It allows third-party applications (clients) to gain limited access to resources (like APIs or user data) on behalf of the resource owner (the user).
- Instead of sharing user credentials (like username/password), OAuth2 uses access tokens issued by an authorization server to access protected resources from a resource server.
Key Components in OAuth2- Resource Owner → The user who owns the data.
- Client → The application requesting access on behalf of the user.
- Authorization Server → Issues access tokens after validating the client and resource owner.
- Resource Server → Hosts protected resources and validates access tokens before granting access.
Common OAuth2 Grant Types- Authorization Code Grant → Used in web and mobile apps.
- Client Credentials Grant → For machine-to-machine communication.
- Password Grant → Uses user credentials directly (less secure).
- Implicit Grant → For single-page apps (not widely used now).
- Refresh Token → To get a new access token without re-authenticating.
How to Test OAuth2 in Rest Assured
When you need to test APIs protected by OAuth2 using Rest Assured, the flow is generally:
1. Obtain an Access Token- Send a request to the Authorization Server’s token endpoint (e.g., /oauth/token) with required details (client ID, client secret, grant type, username, password, or authorization code depending on the flow).
- The response will contain an access token (and sometimes a refresh token).
2. Use the Access Token in API Requests- For subsequent API calls to the Resource Server, include the access token in the Authorization header as: Authorization: Bearer <access_token>
3. Validate API Responses- Once the token is included, the API should return data for valid tokens.
- If the token is expired or invalid, the API should return an error (like 401 Unauthorized or 403 Forbidden).
4. Test Token Expiry & Refresh- Test how the system behaves when an expired token is used.
- Test the refresh token endpoint to get a new valid access token.
5. Negative Testing- Try calling the API without a token → should return unauthorized.
- Try calling the API with an invalid/expired token → should return unauthorized.
- Try with incorrect client credentials → should be rejected at token request stage.
Key Components in OAuth2
- Resource Owner → The user who owns the data.
- Client → The application requesting access on behalf of the user.
- Authorization Server → Issues access tokens after validating the client and resource owner.
- Resource Server → Hosts protected resources and validates access tokens before granting access.
Common OAuth2 Grant Types
- Authorization Code Grant → Used in web and mobile apps.
- Client Credentials Grant → For machine-to-machine communication.
- Password Grant → Uses user credentials directly (less secure).
- Implicit Grant → For single-page apps (not widely used now).
- Refresh Token → To get a new access token without re-authenticating.
How to Test OAuth2 in Rest Assured
When you need to test APIs protected by OAuth2 using Rest Assured, the flow is generally:
1. Obtain an Access Token
- Send a request to the Authorization Server’s token endpoint (e.g., /oauth/token) with required details (client ID, client secret, grant type, username, password, or authorization code depending on the flow).
- The response will contain an access token (and sometimes a refresh token).
2. Use the Access Token in API Requests
- For subsequent API calls to the Resource Server, include the access token in the Authorization header as: Authorization: Bearer <access_token>
3. Validate API Responses
- Once the token is included, the API should return data for valid tokens.
- If the token is expired or invalid, the API should return an error (like 401 Unauthorized or 403 Forbidden).
4. Test Token Expiry & Refresh
- Test how the system behaves when an expired token is used.
- Test the refresh token endpoint to get a new valid access token.
5. Negative Testing
- Try calling the API without a token → should return unauthorized.
- Try calling the API with an invalid/expired token → should return unauthorized.
- Try with incorrect client credentials → should be rejected at token request stage.
Java Code using Rest Assured
import io.restassured.RestAssured; import io.restassured.http.ContentType; import io.restassured.response.Response; import java.util.HashMap; import java.util.Map; public class OAuth2Test { public static void main(String[] args) { // Step 1: Get OAuth2 token String tokenUrl = "https://example.com/oauth/token"; // Replace with real token URL
Map<String, String> params = new HashMap<>(); params.put("grant_type", "client_credentials"); params.put("client_id", "your-client-id"); params.put("client_secret", "your-client-secret"); Response tokenResponse = RestAssured .given() .contentType(ContentType.URLENC) .formParams(params) .when() .post(tokenUrl) .then() .statusCode(200) .extract() .response(); String accessToken = tokenResponse.jsonPath().getString("access_token"); System.out.println("Access Token: " + accessToken); // Step 2: Use token to access protected API String protectedUrl = "https://reqres.in/api/users?page=2"; RestAssured .given() .auth() .oauth2(accessToken) // Add Bearer token .when() .get(protectedUrl) .then() .statusCode(200) .log().body(); } }
Code explanation:
(a) Get Oauth2 token from any token provider website, we have taken dummy website as: https://example.com/oauth/token
(b) Create a map object and put values of parameters like grant type, client id and client secret.
(c) Get response from token object and print the access token by key: access_token (in your case it can be different, depends upon the key of access token response.
(d) Send request to API needs to access: https://reqres.in/api/users?page=2 and put oauth2 code as:
.auth().oauth2(accessToken)
Important Points:
- auth().oauth2(token) adds the Authorization: Bearer <token> header.
- For token endpoint, many real APIs use URLs like:
https://api.example.com/oauth2/token
Suggested Posts:
1. Validate XML Schema in RestAssured
2. Validate JSON Schema in RestAssured
3. Test PUT API in RestAssured
4. Validate Response by Matchers API in RestAssured
5. Validate API Response from Database in RestAssured