How can I automate the recovery of a user id token for automated tests?

theod · April 15, 2021, 1:51pm

Hello,

I am working on a project on which I authenticate my users on a front-end (authorization code with PKCE) . Then, I am sending to my back-end the id token in order to check the authentication and return some informations (if the authentication is successful).

In order to do automated tests (integrated on my CI), I would like to know if there is an method to fetch an id token from a test user.

I tried a first approach by :

creating a auth0 tenant specific for test purposes
creating one user
fetch token with the endpoint oauth/token with the password authorization flow.
Nevertheless the endpoint doesn’t look to be able to return an id token, only access token. (according to the API documentation)

Can you recommend a way to fetch automatically an id token and then test my API routes ?

I thank you a lot in advance,

dan.woda · April 15, 2021, 10:46pm

Hi @theod,

Welcome to the Community!

Did you try passing an openid scope with your request?

theod · April 16, 2021, 8:11am

Hello @dan.woda ,
Thanks a lot for the quick reply. Actually I tried to pass an openid scope in my request but only a access_token is returned.

Here is the model of my request :

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&username=USERNAME&password=PASSWORD&audience=API_IDENTIFIER&scope=openid&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"
 }'

and the response looks like :

{
   "access_token": "...",
   "scope":"openid profile email address phone read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities","expires_in":2592000,"token_type":"Bearer"
}

This is in fact the behavior described in the section concerning this endpoint in the API documentation.

Is there something i am not doing correctly ?

dan.woda · April 16, 2021, 4:55pm

I just tested it and get can an ID token.

Here is my request export from postman, also tested in my terminal:

curl --location --request POST 'https://xxx.auth0.com/oauth/token' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data-urlencode 'grant_type=password' \
     --data-urlencode 'client_id=xxx' \
     --data-urlencode 'client_secret=xxx' \
     --data-urlencode 'username=xxx' \
     --data-urlencode 'password=xxx' \
     --data-urlencode 'scope=openid'

theod · April 16, 2021, 5:30pm

You are right my mistake was to add an audience parameter.

Thank you so much for your support!

dan.woda · April 16, 2021, 6:44pm

Let us know if you have other questions.

system · May 1, 2021, 6:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.