Fake OAuth 2.0 resource and authorization appSource:
The webfakes package comes with two fake apps that allow to imitate the
OAuth2.0 flow in your test cases. (See Aaron Parecki’s tutorial for a good
introduction to OAuth2.0.) One app (
oauth2_resource_app()) is the API
server that serves both as the resource and provides authorization.
oauth2_third_party_app() plays the role of the third-party app. They
are useful when testing or demonstrating code handling OAuth2.0
authorization, token caching, etc. in a package. The apps can be used in
your tests directly, or you could adapt one or both of them to better
mimic a particular OAuth2.0 flow.
oauth2_resource_app( access_duration = 3600L, refresh_duration = 7200L, refresh = TRUE, seed = NULL, authorize_endpoint = "/authorize", token_endpoint = "/token" )
After how many seconds should access tokens expire.
After how many seconds should refresh tokens expire (ignored if
Should a refresh token be returned (logical).
Random seed used when creating tokens. If
NULL, we rely on R to provide a seed. The app uses its own RNG stream, so it does not affect reproducibility of the tests.
The authorization endpoint of the resource server. Change this from the default if the real app that you are faking does not use
The endpoint to request tokens. Change this if the real app that you are faking does not use
The app has the following endpoints:
GET /registeris the endpoint that you can use to register your third party app. It needs to receive the
nameof the third party app, and its
redirect_urias query parameters, otherwise returns an HTTP 400 error. On success it returns a JSON dictionary with entries
name(the name of the third party app),
GET /authorizeis the endpoint where the user of the third party app is sent. You can change the URL of this endpoint with the
authorize_endpointargument. It needs to receive the
client_idof the third party app, and its correct
redirect_urias query parameters. It may receive a
statestring as well, which can be used by a client to identify the request. Otherwise it generates a random
statestring. On error it fails with a HTTP 400 error. On success it returns a simple HTML login page.
POST /authorize/decisionis the endpoint where the HTML login page generated at
/authorizeconnects back to, either with a positive or negative result. The form on the login page will send the
statestring and the user's choice in the
actionvariable. If the user authorized the third party app, then they are redirected to the
redirect_uriof the app, with a temporary
statestring supplied as query parameters. Otherwise a simple HTML page is returned.
POST /tokenis the endpoint where the third party app requests a temporary access token. It is also uses for refreshing an access token with a refresh token. You can change the URL of this endpoint with the
token_endpointargument. To request a new token or refresh an existing one, the following data must be included in either a JSON or an URL encoded request body:
grant_type, this must be
authorization_codefor new tokens, and
code, this must be the temporary code obtained from the
/authorize/decisionredirection, for new tokens. It is not needed when refreshing.
client_idmust be the client id of the third party app.
client_secretmust be the client secret of the third party app.
redirect_urimust be the correct redirection URI of the third party app. It is not needed when refreshing tokens.
refresh_tokenmust be the refresh token obtained previously, when refreshing a token. It is not needed for new tokens. On success a JSON dictionary is returned with entries:
refresh_token. (The latter is omitted if the
GET /localsreturns a list of current apps, access tokens and refresh tokens.
GET /datais an endpoint that returns a simple JSON response, and needs authorization.
Using this app in your tests requires the glue package, so you need to put it in
You can add custom endpoints to the app, as needed.
If you need authorization in your custom endpoint, call
app$is_authorized()in your handler:
if (!app$is_authorized(req, res)) return()
app$is_authorized()returns an HTTP 401 response if the client is not authorized, so you can simply return from your handler.
For more details see
vignette("oauth", package = "webfakes").
Other OAuth2.0 functions: