How can I automate a test for an endpoint protected using an ID Provider like Google?

I have a setup that is using the PKCE flow to handle auth for both an SPA and a mobile application. I now need to test endpoints protected by this setup. I would like to use social login to test being able to get a social access token so I would like to avoid username and password auth. Is there a way to handle this? So far all I have come up with is…

  1. Use WebDriver to open a browser and login
  2. Steal the auth0 cookie from the browser.
  3. Use the /authorize and token endpoint to get required access token.

Is there a better option for this? We can and have gotten the password grant type to work but we can’t test social based functionality.