Sample code showing how to test an API that has been secured using Auth0. Three types of tests are showcased:
-
.NET Core 3.1 based integration tests using the xUnit template. The tests are using test tokens procured from Auth0
-
.NET Core 3.1 based integration tests using fake JWT Bearer tokens
-
Jasmine and Node JS based outside-in tests using test tokens procured from Auth0
|
Note
|
This repository requires the use of .NET Core dotnet --version If your version is older or you don’t have .NET Core installed, then get it from here: https://dotnet.microsoft.com/download |
First you need an account on Auth0. You can create a free personal account here: https://auth0.com/signup.
The login or tenant name you select during signup will determine the Authority. It looks like the following:
-
or if you have selected EU as the data location it will be:
Once logged in to Auth0:
-
Navigate to APIs
-
Click the button "+ CREATE API"
-
Enter the following data:
-
Friendly name, e.g.
Glossary API -
Identifier, e.g.
https://glossary.acme.com -
Leave Signing Algorith at
RS256 -
Click the button CREATE
-
Once the API is created you’ll get a client_id and a client_secret for it. Navigate to the Test tab to find out the details.
The API and integration tests work with developer secrets to avoid having secrets in code.
-
To define the secrets open a terminal and navigate to the
apifolder -
Initialize the user secrets manager
$ dotnet user-secrets init -
Add the 4 necessary secrets:
$ dotnet user-secrets set "auth0:url" "<url to token provider>" $ dotnet user-secrets set "auth0:client_id" "<client-id>" $ dotnet user-secrets set "auth0:client_secret" "<client-secret>" $ dotnet user-secrets set "auth0:audience" "<audience>"where
-
<url to token provider>equals something likehttps://<tenant>.auth0.com/oauth/tokenand -
<audience>is the API Audience such ashttps://glossary.acme.com. It corresponds to the identifier you chose for the API during creation.
To get a token from Auth0 use the following command:
curl --request POST \
--url https://<tenant>.eu.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"<client-id>","client_secret":"<client-secret>","audience":"<audience>","grant_type":"client_credentials"}'-
To get a list of all glossary items use (endpoint not secured):
curl --insecure https://localhost:5001/api/glossary
-
To get a specific glossary item by its
termuse (endpoint not secured):curl --insecure https://localhost:5001/api/glossary/<term>
-
To create a new glossary item use:
curl --insecure --request POST \ --header 'content-type: application/json' \ --header 'Authorization: Bearer <token>' \ --data '<data>' \ --url https://localhost:5001/api/glossaryWhere
<token>is the token requested in the previous section. -
To update a specific glossary item use:
curl --insecure --request PUT \ --header 'content-type: application/json' \ --header 'Authorization: Bearer <token>' \ --data '<data>' \ --url https://localhost:5001/api/glossary -
To delete a specific glossary item use:
curl --insecure --request DELETE \ --header 'content-type: application/json' \ --header 'Authorization: Bearer <token>' \ --url https://localhost:5001/api/glossary/<term>
Before continuing make sure you have defined User Secrets as described above.
-
To run Xunit based tests that use User Secrets to configure access to Auth0, use the following command:
$ dotnet test tests
-
To run Xunit based tests that use fake JWT Bearer tokens, use the following command:
$ dotnet test tests-with-fake-tokens
-
Navigate to the solution folder
-
Make sure to create a file
conf/conf.jsaccording to theREADME.mdin theconffolder -
Run the tests with:
$ docker-compose -f docker-compose-test.yml up --build -
Whenever you change code in the API it will restart automatically
-
Whenever you change code in the Jasmine based test suite all tests will rerun automatically