Friday, August 23, 2013

oauth testing continued

Let's close on the OAuth test matrix here:
1) Implicit Grant
a. missing user id
b. missing client id
c. any user id but Valid client id 
d. Valid user id and client id
e. Valid user id but invalid client id
f. Error codes – 400, 403, 404, invalid_request, invalid_token and insufficient_scope
g. Use invalid uri to not get 302 (new)
h. Performance (new)
i. XML and JSON responses
2) Authorization Code Grant
a. Similar to Implicit grant but responseType=code so 1a to 1i will be repeated. (new)
b. Code will be translated to token.
c. Code expiry will not be tested but code revoke will be tested to validate token
3) Client credentials grant
a. Targets token endpoint to get token using client id, client secret, scope (new)
b. Checks for error message for  invalid grant (new)
4) Revoke access
a. Revoke token will be tested but not revoke client
b. Revoke an already revoked token
c. Revoke an already revoked client (new)
d. Revoke all tokens for a client ( Get all tokens and validate each) (new)
5) Claim information
a) Get claims based on default scope (null)
b) Get claims based on specific scope (not null)
6) Client Information
a) Get name of client application and check access tokens
b) Get client without name, description or image to see the default rendered to the user
c) Get all access tokens and add or remove tokens to see if the client information is updated
d) Check if revoke all removes all access tokens.
7) Get allowed clients for a user
a) Check if all the clients are listed for the user.
b) Add or remove a client to see the corresponding update to the list
c) Authorize a client for the user but delete the client to check for orphaned entries
8) Check response types
a) check the code
b) check the token


No comments:

Post a Comment