Log in
Log in
Log in
Book a Demo
Get Started
631.7K 457.1K 7.8K
Back to Repositories

Testing OAuth 2.0 Authentication Workflows in Insomnia

This test suite validates OAuth 2.0 authentication flows in Insomnia, covering various grant types and authorization scenarios. It ensures proper token handling, request authentication, and session management across different OAuth 2.0 implementations.

Test Coverage Overview

The test suite provides comprehensive coverage of OAuth 2.0 authentication flows including:
  • Authorization Code flow with and without PKCE
  • Implicit grant with ID token and Access token
  • Client Credentials flow
  • Resource Owner Password Credentials
  • Token refresh mechanisms
  • Session management and cleanup

Implementation Analysis

The testing approach utilizes Playwright’s async/await pattern for handling OAuth authentication flows. It implements detailed verification of token management, authorization endpoints, and response validation using modern TypeScript testing patterns.

The tests simulate real-world OAuth scenarios with mock authentication servers and validate both request/response cycles and UI interactions.

Technical Details

Testing tools and configuration:
  • Playwright Test Framework
  • Custom fixture loading utilities
  • Mock OAuth 2.0 server (127.0.0.1:4010)
  • Platform-specific timeout configurations
  • TestID-based element selection
  • Automated browser interaction handling

Best Practices Demonstrated

The test implementation showcases several testing best practices:
  • Systematic validation of OAuth state management
  • Comprehensive error handling and token validation
  • Clean session management between tests
  • Platform-specific adaptations
  • Clear test organization and separation of concerns
  • Robust element selection strategies

kong/insomnia

packages/insomnia-smoke-test/tests/smoke/oauth.test.ts

            
import { expect } from '@playwright/test';

import { loadFixture } from '../../playwright/paths';
import { test } from '../../playwright/test';

test('can make oauth2 requests', async ({ app, page }) => {
  if (process.platform === 'darwin') {
    test.setTimeout(6 * 60 * 1000);
  } else {
    test.slow();
  }

  const sendButton = page.locator('[data-testid="request-pane"] button:has-text("Send")');
  const statusTag = page.locator('[data-testid="response-status-tag"]:visible');
  const responseBody = page.locator('[data-testid="CodeEditor"]:visible', {
    has: page.locator('.CodeMirror-activeline'),
  });

  const projectView = page.locator('#wrapper');

  const text = await loadFixture('oauth.yaml');
  await app.evaluate(async ({ clipboard }, text) => clipboard.writeText(text), text);

  await page.getByLabel('Import').click();
  await page.locator('[data-test-id="import-from-clipboard"]').click();
  await page.getByRole('button', { name: 'Scan' }).click();
  await page.getByRole('dialog').getByRole('button', { name: 'Import' }).click();
  await page.getByLabel('OAuth Testing').click();

  // No PKCE
  await projectView.getByLabel('Request Collection').getByTestId('No PKCE').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');

  const [authorizationCodePage] = await Promise.all([
    app.waitForEvent('window'),
    sendButton.click(),
  ]);

  await authorizationCodePage.waitForLoadState();
  await authorizationCodePage.waitForFunction("document.cookie !== ''");
  await authorizationCodePage.locator('[name="login"]').fill('admin');
  await authorizationCodePage.locator('[name="password"]').fill('admin');
  await authorizationCodePage.locator('button:has-text("Sign-in")').click();

  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // Navigate to the OAuth2 Tab and refresh the token from there
  await page.getByRole('tab', { name: 'Auth' }).click();
  await expect(page.getByRole('button', { name: 'OAuth 2.0' })).toBeVisible();

  const tokenInput = page.locator('[for="Access-Token"] > input');
  const prevToken = await tokenInput.inputValue();
  await page.locator('button:has-text("Refresh Token")').click();
  await expect(tokenInput).not.toHaveValue(prevToken);

  // Clear the session and tokens and fetch a token manually
  await page.locator('text=Advanced Options').click();
  await page.locator('button:has-text("Clear OAuth 2 session")').click();
  await page.locator('button:text-is("Clear")').click();

  const [refreshPage] = await Promise.all([
    app.waitForEvent('window'),
    page.locator('button:has-text("Fetch Tokens")').click(),
  ]);

  await refreshPage.waitForLoadState();
  // expect an _interaction cookie to be set with the sign in form
  await refreshPage.waitForFunction("document.cookie !== ''");
  await refreshPage.locator('[name="login"]').fill('admin');
  await refreshPage.locator('[name="password"]').fill('admin');
  await refreshPage.locator('button:has-text("Sign-in")').click();

  await expect(tokenInput).not.toHaveValue('');

  // PKCE SHA256
  await page.getByLabel('Request Collection').getByTestId('PKCE SHA256').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');
  await expect(page.locator('#Grant-Type')).toHaveValue('authorization_code');
  await expect(page.locator('#Code-Challenge-Method')).toHaveValue('S256');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // PKCE Plain
  await page.getByLabel('Request Collection').getByTestId('PKCE Plain').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');
  await expect(page.locator('#Grant-Type')).toHaveValue('authorization_code');
  await expect(page.locator('#Code-Challenge-Method')).toHaveValue('plain');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // Inherited Auth from folder
  await page.getByLabel('Request Collection').getByTestId('Request with Inherited Auth').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // Reset the OAuth 2 session from Preferences
  if (process.platform === 'darwin') {
    await page.keyboard.press('Meta+,');
  } else {
    await page.keyboard.press('Control+,');
  }
  await page.locator('button:has-text("Clear OAuth 2 session")').click();
  await page.keyboard.press('Escape');

  // ID Token
  await page.getByLabel('Request Collection').getByTestId('ID Token').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/id-token');
  await expect(page.locator('#Grant-Type')).toHaveValue('implicit');

  const [implicitPage] = await Promise.all([
    app.waitForEvent('window'),
    sendButton.click(),
  ]);
  await implicitPage.waitForLoadState();
  await implicitPage.waitForFunction("document.cookie !== ''");
  await implicitPage.locator('[name="login"]').fill('admin');
  await implicitPage.locator('[name="password"]').fill('admin');
  await implicitPage.locator('button:has-text("Sign-in")').click();

  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // ID and Access Token
  await page.getByLabel('Request Collection').getByTestId('ID and Access Token').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');
  await expect(page.locator('#Grant-Type')).toHaveValue('implicit');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "admin"');

  // Reset the OAuth 2 session from Preferences
  if (process.platform === 'darwin') {
    await page.keyboard.press('Meta+,');
  } else {
    await page.keyboard.press('Control+,');
  }
  await page.locator('button:has-text("Clear OAuth 2 session")').click();
  await page.keyboard.press('Escape');

  // Client Credentials
  await page.getByLabel('Request Collection').getByTestId('Client Credentials').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/client-credential');
  await expect(page.locator('#Grant-Type')).toHaveValue('client_credentials');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"clientId": "client_credentials"');

  // Reset the OAuth 2 session from Preferences
  if (process.platform === 'darwin') {
    await page.keyboard.press('Meta+,');
  } else {
    await page.keyboard.press('Control+,');
  }
  await page.locator('button:has-text("Clear OAuth 2 session")').click();
  await page.keyboard.press('Escape');

  // Resource Owner Password Credentials
  await page.getByLabel('Request Collection').getByTestId('Resource Owner Password Credentials').press('Enter');
  await expect(page.locator('.app')).toContainText('http://127.0.0.1:4010/oidc/me');
  await expect(page.locator('#Grant-Type')).toHaveValue('password');
  await sendButton.click();
  await expect(statusTag).toContainText('200 OK');
  await expect(responseBody).toContainText('"sub": "foo"');
});