Java Selenium TestNG CI/CD API Testing Database Playwright Performance

Chapter 7: Authentication and Authorization Testing

OAuth 2.0 Overview

OAuth 2.0 is the protocol behind "Login with Google" and "Login with GitHub." It lets a third-party app access your data without knowing your password. You have used it hundreds of times. Now you need to understand it as a tester.

The Valet Parking Analogy

You go to a fancy restaurant. You give the valet your car key — but it is a special valet key. It can start the engine and drive the car, but it cannot open the trunk or the glove box. OAuth works the same way. You give an app limited access to your data — not your full credentials.

Key Terminology

Term	What It Means	Example
Resource Owner	The user who owns the data	You (the person clicking "Login with Google")
Client	The app that wants access	A to-do list app asking for your Google Calendar
Authorization Server	The server that issues tokens	Google's OAuth server (accounts.google.com)
Resource Server	The server that has the data	Google Calendar API
Access Token	The key that grants access	A short-lived JWT or opaque token
Refresh Token	Used to get a new access token	A long-lived token stored securely
Scope	What permissions are requested	"read:calendar write:calendar"
Grant Type	The method used to get the token	authorization_code, client_credentials, etc.

Grant Types — Which Flow to Use

OAuth 2.0 has several "grant types" — different ways to get a token. As a tester, you will mostly encounter two: Authorization Code (for user-facing apps) and Client Credentials (for server-to-server).

Authorization Code Grant

●For apps with a user (browser, mobile)
●User logs in via the provider's login page
●App gets an authorization code, exchanges it for a token
●Most secure for user-facing apps
●Used by: "Login with Google", "Login with GitHub"
●Involves browser redirect — harder to automate

Client Credentials Grant

✓For server-to-server communication
✓No user involved — machine-to-machine
✓App sends client_id + client_secret, gets token directly
✓Simpler flow — easy to automate in tests
✓Used by: microservices calling each other, background jobs
✓No browser needed — just an API call

Authorization Code Flow

Authorization Code Grant Flow

1. User clicks login

App redirects to Google

→

2. User logs in

On Google's login page

→

3. Google redirects back

With authorization code

→

4. App exchanges code

Sends code + client_secret to Google

→

5. Google returns tokens

Access token + refresh token

→

6. App uses access token

To call Google Calendar API

Client Credentials Flow — REST Assured

ClientCredentialsTest.javajava

import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class ClientCredentialsTest {

    private String accessToken;

    @BeforeClass
    public void getTokenViaClientCredentials() {
        RestAssured.baseURI = "https://auth.example.com";

        // Step 1: Get token using client_id and client_secret
        accessToken =
            given()
                .contentType(ContentType.URLENC)
                .formParam("grant_type", "client_credentials")
                .formParam("client_id", System.getenv("CLIENT_ID"))
                .formParam("client_secret", System.getenv("CLIENT_SECRET"))
                .formParam("scope", "read:users")
            .when()
                .post("/oauth/token")
            .then()
                .statusCode(200)
                .body("access_token", notNullValue())
                .body("token_type", equalTo("Bearer"))
                .body("expires_in", greaterThan(0))
                .extract()
                .jsonPath()
                .getString("access_token");
    }

    @Test
    public void testAccessResourceWithOAuthToken() {
        given()
            .header("Authorization", "Bearer " + accessToken)
        .when()
            .get("https://api.example.com/users")
        .then()
            .statusCode(200)
            .body("users.size()", greaterThan(0));
    }

    @Test
    public void testInvalidClientCredentials() {
        given()
            .contentType(ContentType.URLENC)
            .formParam("grant_type", "client_credentials")
            .formParam("client_id", "wrong-client-id")
            .formParam("client_secret", "wrong-secret")
        .when()
            .post("/oauth/token")
        .then()
            .statusCode(401)
            .body("error", equalTo("invalid_client"));
    }

    @Test
    public void testInvalidScope() {
        given()
            .contentType(ContentType.URLENC)
            .formParam("grant_type", "client_credentials")
            .formParam("client_id", System.getenv("CLIENT_ID"))
            .formParam("client_secret", System.getenv("CLIENT_SECRET"))
            .formParam("scope", "delete:everything")
        .when()
            .post("/oauth/token")
        .then()
            .statusCode(400)
            .body("error", equalTo("invalid_scope"));
    }
}

As a QA tester, you will rarely automate the full Authorization Code flow (it involves browser redirects). Most teams either use Client Credentials for test automation or have a test helper that generates tokens directly. Ask your dev team how to get test tokens.

Q: Explain OAuth 2.0 in simple terms. What grant types do you know?

A: OAuth 2.0 lets third-party apps access user data without knowing the user's password. Instead, the app gets a token with limited permissions. Key grant types: (1) Authorization Code — for user-facing apps, involves browser redirect, most secure. (2) Client Credentials — for server-to-server, no user involved, simplest to automate. (3) Implicit — deprecated, was for single-page apps. (4) Password Grant — deprecated, sends username/password directly. In test automation, Client Credentials is most commonly used because it requires no browser interaction.

Key Point: OAuth 2.0 lets apps access data without passwords. Authorization Code is for user-facing apps. Client Credentials is for server-to-server and easiest to automate in tests.

Previous Up NextToken Management in Tests