2.3. Usage - Testing IS-10 Authorization.md

Testing IS-10 Authorization

Most of the test suites can be run in a mode where authorization is required according to IS-10 / BCP-003-02. This is enabled by setting ENABLE_AUTH to True.

In this mode, every request which is made by the testing tool will include a JSON Web Token issued by the testing tool's mock authorization server, which should grant it access to the API under test.

Test suites which include 'mocks', most notably the IS-04 Node API suite (which include a mock registry), also require valid Access Tokens to be presented to the mock APIs by the OAuth Client (Node or Controller) under test.

Note that whilst the testing tool does not prevent authorization testing from being carried out with ENABLE_HTTPS set to False, this is for debugging purposes only. Production environments must never use authorization without TLS.

There are a number of additional configuration parameters required depending on the OAuth 2.0 options used by the OAuth Client under test.

• If the OAuth Client uses private_key_jwt client authentication, set JWKS_URI to its JSON Web Key Set endpoint.

• If the OAuth Client uses the Authorization Code Grant, the mock Auth server redirects the user-agent back to the client with the authorization code. If the redirect_uri is not provided by the client during the authorization code flow, set REDIRECT_URI to the appropriate endpoint.

• If the OAuth Client does not specify its required scope when requesting an Access Token, set SCOPE to configure the default scopes issued by the mock authorization server as a space-separated list of scope names, e.g. "connection node events". Supported scopes include "connection", "node", "query", "registration", "events", "channelmapping".