Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2 security, clientCredentials flow #783

Open
kiranpatel11 opened this issue Oct 9, 2023 · 5 comments
Open

oauth2 security, clientCredentials flow #783

kiranpatel11 opened this issue Oct 9, 2023 · 5 comments
Assignees
@joelrosario @harikrishnan83
Labels
enhancement Improvement to an existing feature feature_request New feature

Comments

@kiranpatel11
Copy link

We are trying to use specmatic to test against the API secured by oAuth2, clientCredentials flow, and it is running against the production like environment.

Since the application is running in a production like environment, we don't have an option to set it up with the mock security configuration for the purpose of the Contract Testing.

Questions :

  • can specmatic use the tokenUrl specified in the OAS to retrieve the real token for the contract tests ?
  • How to specify the configuration for the clientId and clientSecrets for the successful token retrival ?
@kiranpatel11
Copy link
Author

I could use the oauth2 token using the security section in the specmatic.json, but it uses only the hardcoded value.

is it possible to provide the env variable/placeholder in the specmatic.json security section such that it can be replaced at the runtime ?

{
    "security": {
      "OpenAPI": {
        "securitySchemes": {
          "oAuth2AuthCode": {
            "type": "oauth2",
            "token": "${MY_TOKEN}"
          }
        }
      }
    }
  }

@joelrosario
Copy link
Member

@kiranpatel11 thanks for the suggestion. We'll discuss this idea internally and get back.

@jaydeepk jaydeepk added the enhancement Improvement to an existing feature label Oct 11, 2023
@kiranpatel11
Copy link
Author

kiranpatel11 commented Oct 11, 2023
edited
Loading

To address the broader range of usecases, It would be great if you can make it configurable

  • to use real tokenUrl to get the token using the clientId/clientSecret via config+ENV variables for the cases where SUT is not possible to setup using the TestConfig OR
  • use hard-coded token for the cases where SUT can be setup using the TestConfig.

@kiranpatel11
Copy link
Author

@joelrosario ,

Please let me know if this issue is going to get prioritized in near future ?

@harikrishnan83
Copy link
Member

@kiranpatel11 apologies for the radio silence on this. You point about being able to make the token configurable makes sense. We now have ability to pass the bearer token, API keys, etc. for each type of security scheme through environment variables. Here is the documentation. Hope this helps.

About using tokenURL to get the real token, we will get back to you on this. Thanks.

@joelrosario joelrosario added the feature_request New feature label Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joelrosario joelrosario

@harikrishnan83 harikrishnan83

Labels
enhancement Improvement to an existing feature feature_request New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joelrosario @harikrishnan83 @jaydeepk @kiranpatel11