You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/reactive/test/web/oauth2.adoc
+51-4Lines changed: 51 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -787,11 +787,58 @@ client
787
787
======
788
788
789
789
[[webflux-testing-jwt]]
790
-
== Testing JWT Authentication
790
+
== Testing OAuth 2.0 Resource Servers with JWT
791
791
792
-
To make an authorized request on a resource server, you need a bearer token.
793
-
If your resource server is configured for JWTs, the bearer token needs to be signed and then encoded according to the JWT specification.
794
-
All of this can be quite daunting, especially when this is not the focus of your test.
792
+
Similar to <<webflux-testing-opaque-token,opaque tokens>>, JWTs require an authorization server in order to verify their validity, which can make testing more difficult.
793
+
To help with that, Spring Security has test support for JWTs.
794
+
795
+
Suppose you have a controller that retrieves the authentication as a `Jwt`:
796
+
797
+
[tabs]
798
+
======
799
+
Java::
800
+
+
801
+
[source,java,role="primary"]
802
+
----
803
+
@GetMapping("/endpoint")
804
+
public Mono<String> foo(@AuthenticationPrincipal Jwt jwt) {
805
+
return Mono.just(jwt.getClaimAsString("sub"));
806
+
}
807
+
----
808
+
809
+
Kotlin::
810
+
+
811
+
[source,kotlin,role="secondary"]
812
+
----
813
+
@GetMapping("/endpoint")
814
+
fun foo(@AuthenticationPrincipal jwt: Jwt): Mono<String> {
815
+
return Mono.just(jwt.getClaimAsString("sub"))
816
+
}
817
+
----
818
+
======
819
+
820
+
In that case, you can tell Spring Security to include a default `Jwt` by using the `SecurityMockServerConfigurers#mockJwt` method:
This example creates a mock `Jwt` and passes it through any authentication APIs so that it is available for your authorization mechanisms to verify.
795
842
796
843
Fortunately, there are a number of simple ways in which you can overcome this difficulty and let your tests focus on authorization and not on representing bearer tokens.
797
844
We look at two of them in the next two subsections.
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/servlet/test/mockmvc/oauth2.adoc
+51-4Lines changed: 51 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -790,12 +790,59 @@ mvc.get("/endpoint") {
790
790
======
791
791
792
792
[[testing-jwt]]
793
-
== Testing JWT Authentication
793
+
== Testing OAuth 2.0 Resource Servers with JWT
794
794
795
-
In order to make an authorized request on a resource server, you need a bearer token.
795
+
Similar to <<testing-opaque-token,opaque tokens>>, JWTs require an authorization server in order to verify their validity, which can make testing more difficult.
796
+
To help with that, Spring Security has test support for JWTs.
796
797
797
-
If your resource server is configured for JWTs, then this would mean that the bearer token needs to be signed and then encoded according to the JWT specification.
798
-
All of this can be quite daunting, especially when this isn't the focus of your test.
798
+
Let's say that we've got a controller that retrieves the authentication as a `Jwt`:
799
+
800
+
[tabs]
801
+
======
802
+
Java::
803
+
+
804
+
[source,java,role="primary"]
805
+
----
806
+
@GetMapping("/endpoint")
807
+
public String foo(@AuthenticationPrincipal Jwt jwt) {
808
+
return jwt.getClaimAsString("sub");
809
+
}
810
+
----
811
+
812
+
Kotlin::
813
+
+
814
+
[source,kotlin,role="secondary"]
815
+
----
816
+
@GetMapping("/endpoint")
817
+
fun foo(@AuthenticationPrincipal jwt: Jwt): String {
818
+
return jwt.getClaimAsString("sub")
819
+
}
820
+
----
821
+
======
822
+
823
+
In that case, we can tell Spring Security to include a default `Jwt` using the `jwt` xref:servlet/test/mockmvc/request-post-processors.adoc[`RequestPostProcessor`], like so:
824
+
825
+
[tabs]
826
+
======
827
+
Java::
828
+
+
829
+
[source,java,role="primary"]
830
+
----
831
+
mvc
832
+
.perform(get("/endpoint").with(jwt()));
833
+
----
834
+
835
+
Kotlin::
836
+
+
837
+
[source,kotlin,role="secondary"]
838
+
----
839
+
mvc.get("/endpoint") {
840
+
with(jwt())
841
+
}
842
+
----
843
+
======
844
+
845
+
What this will do is create a mock `Jwt`, passing it correctly through any authentication APIs so that it's available for your authorization mechanisms to verify.
799
846
800
847
Fortunately, there are a number of simple ways that you can overcome this difficulty and allow your tests to focus on authorization and not on representing bearer tokens.
0 commit comments