Can this lib be used for integration testing (@SpringBootTest)?

[ch4mpy]

This is a dedicated point to answer a question asked by @fintans in an unrelated thread

[ch4mpy]

Yes, actually, it is possible to write @SpringBootTest with mocked user identities. I added integration tests with @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.MOCK) to all samples to demo that.

However, test libs in this repo are not producing base64 encoded JSON Web Tokens, later decoded, validated and turned into Authentication by Spring framework.

Instead, it is directly building Authentication instances (JwtAuthenticationToken, BearerTokenAuthentication, OAuthentication<OpenidClaimSet>, etc.) and populates test security context with it.
Test Authentication are build as specified by one of the following:

• annotations (@WithMockJwtAuth, @WithBearerTokenAuthentication, @Openid and @WithMockAuthentication)
• RequestPostProcessor (for MockMvc)
• WebTestClientConfigurer (for WebTestClient) .

Why not producing actual JWTs and populating Authorization header with it?

• When testing other @Compent than @Controller, request context is not relevant (it's perfectly legit to test a @Service with a security context for a non-web app => no authorization header to set.
• I can't sign the token with authorization server private key.
• In unit tests, you don't really care about token validity (i.e. the token being expired or not having an expiration claim at all is most frequently acceptable).
• In unit tests, you don't care about the Authorisation header. All you might care is the test security context being populated with the right Authentication implementation and have some control over it's properties (granted authorities and others)

How do I run my integration tests in non mocked environment?

An authorization server should be accessible. Use Docker or something alike and:

• Create actual users with expected roles on your authorization server (this should be scripted)
• Write an utility class using any REST client to issue OAuth2 authentication requests for those users (details depend mostly on the flows your authorisation server supports)
• Get actual valid tokens issued by your authorization server and put it in your tests requests Authorization header.