oauth2 authorization option

[timgent]

I have an API secured with the oauth2 specification. To connect to it a consumer needs to:

• provide a username and password to the authorization endpoint, receiving back an access token
• user the access token for subsequent requests to the API

I would propose usage along the lines of:
dredd --authtype oauth2 --user tim:password --oauthroute /oauth/login

With authtype defaulting to basic otherwise

Thoughts appreciated

[honzajavorek]

@timgent Thank you, this is generally a feature request for Dredd to handle auth, in this particular case OAuth2.

Before we start to add support for auth to Dredd we would like to first bake in the support to the underlying API description language. Swagger (see plans in #389) already supports describing auth. There are proposals on how to bring description of auth to API Blueprint: https://github.com/apiaryio/api-blueprint-rfcs/tree/master/rfcs But it's not implemented yet in the parser. If that gets implemented, we could teach Dredd how to respect it. Would that be a solution for you?

What is your use case? Do you test your production API or it's about CI, development, etc.? In development, you could work around auth headers by hooks.

[timgent]

Thanks for the quick reply @honzajavorek , some more details below

Your Proposed Solution
Our architecture is that we have a proxy in front of our API that handles auth, and only allows consumers through to the API if they have a valid access token. I think this is becoming more common with greater use of API gateways.

When testing locally or in CI before any deployments only the API is being tested, so no auth component is required. Once deployed (to dev, preprod, etc) the tests will be run against the deployed version of the server which will include a proxy in front of it.

The solution as proposed would work for us, though it would be extra nice to be able to provide a flag to disable having to test the auth too (for example when testing locally without our auth infrastructure).

Only thing I wasn't clear about with the proposal was how to mark other endpoints in the specification as requiring authorization.

Workarounds for the time being
We could have a hook that does the initial authorization. We would then somehow need to add the resulting access token as a header for all requests - is this possible?

[w-vi]

@timgent Yes you can use hooks as a workaround, see Dredd docs on hooks for some examples. You can utilize beforeAll hook to get the token and then beforeEach to add header. See session handling example for insipration. I hope this helps.

[timgent]

@w-vi Thanks that helps a lot, looks pretty straightforward

[honzajavorek]

I'd leave it on hooks. Supporting oauth2 out of the box feels out of scope for Dredd now. There are bigger challenges we're facing.