oAUth Testing

Document created by Chris Sommerstad Employee on Jul 20, 2017
Version 1Show Document
  • View in full screen mode

CloudTest supports the OAuth protocol for both HTTP and SOAP targets. OAuth is a security scheme designed to allow one site (consumer site) to include content from another site (provider site) without requiring users to provide individual user names and passwords.

When CloudTest sends an OAuth message, the target-based values are utilized as part of the authorization process. Message responses are examined until the access token has been determined to populate system properties. Subsequent requests are examined for usage of any of these parameters and the corresponding system property (full list below) is used to substitute the necessary updated values.

OAuth Options in the Target Editor

the OAuth Options section in the Target Editor shows the following fields for consumer targets (the one needing authorization):

  • This site uses OAuth security

Check this option to indicate that the target site is an OAuth site.

  • OAuth Consumer Key

Enter the consumer key string for the target application that would normally be part of site setup. For OAuth enabled targets, this field must have a value before a composition on the target is run.

  • OAuth Consumer Secret

Enter the consumer secret string for the target application that would normally be part of site setup. For OAuth-enabled targets, this field must have a value before a composition on the target is run.

  • OAuth Signature Method

Specify the signature method for the target site. Most likely, HMAC-SHA1, RSA-SHA1, or PLAINTEXT, but providers are allowed to define their own methods. For OAuth enabled targets, this field must have a value before a composition on the target is run.

  • OAuth Callback Method

Enter the callback method for the target application that would normally be part of site setup. For OAuth-enabled targets, this field must have a value before a composition on the target is run.

 

OAuth System Properties

The OAuth system properties are automatically utilized during OAuth transactions when necessary. It is possible that not all would be used in a given case. For example, callbacks are not always used. These properties can be manually applied via the Message Editor or referred to in scripts:

The complete list of OAuth System Properties is:

  • oauth_callback (must have a value before composition is run for site setups that require this setting)
  • oauth_callback_confirmed (generated at runtime)
  • oauth_consumer_key (repository would contain the initial secret that would normally be part of site setup -- must have a value before composition is run)
  • oauth_nonce (generated at runtime)
  • oauth_signature (generated at runtime)
  • oauth_signature_method (must have a value before a composition is run; most likely HMAC-SHA1, RSA-SHA1, or PLAINTEXT but providers are allowed to define their own methods)
  • oauth_timestamp (generated at runtime)
  • oauth_token (discovered at runtime)
  • oauth_token_secret (established during the authentication process using the oauth_consumer_key and oauth_consumer_secret; a “new” token and secret are obtained from them)
  • oauth_verifier (discovered at runtime)
  • oauth_version (generated at runtime)

At the time CloudTest sends a message request to an OAuth site, oauth_consumer_key and oauth_token_secret are used to generate a signature (oauth_signature).

Responses are examined (oauth_token, oauth_token_secret, and oauth_verifier are values returned by the provider), until the access token has been determined to populate these properties. For responses, the returned values are in urlencoded form in the HTTP response.

Requests will be examined for usage of any of these parameters and the corresponding system property will be used to substitute those with updated values.

Attachments

    Outcomes