OAuth2 authentication support

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

As a user, I want to test web APIs using OAuth2 for authorization, so I can get better results from API Fuzzing.

Intended users

Users who determine if API Fuzzing is usable as a solution for testing their web APIs and users who configure API Fuzzing.

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

Configuration of OAuth2 should require the least amount of work and technical knowledge possible.

Proposal

The OAuth2 framework has several different grant types. Each uses a different sequence of steps to obtain an access token. The grant types are split between three party and two party types. In three party grants, one of the parties is an end user authenticating via a web browser session. Three party grants propose unique challenges to automation.

Two OAuth2 grant types will be supported initially:

• Authorization code grant
• Client credentials grant

Authorization code grant

This is a three party grant type. During this flow the user is asked to login and grant access using a web browser. This grant type can't be performed though just environmental variables. A script will need to be customized that includes the use of Selenium or another browser automation API.

1. Create a template Python script that performs everything except scripting the login and authorization approval. For the user authentication portion, an example using Selenium will be provided with a clear place to implement. If the access token expires and provides a refresh token, the script must handle performing a refresh when the token expires. Support PKCE as an option.

The script will work through the overrides feature.

1. Create an example project that shows a working script.

2. Investigate if the Selenium IDE can be leveraged to record the OAuth2 flow, lowering the bar of work.

Client credentials

This two party grant can be exposed to users using only environment variables.

1. Write an OAuth2 client credentials script. Script should support refresh token.
2. Modify worker-entry to add required environment variable support, and configure runner to use the overrides script.
3. Example project that shows a working configuration

Documentation

Documentation for both grant types must be documented, including an example for the authorization code grant script.

Availability & Testing

• Unit test changes
• Integration test changes

Links / references

OAuth2: https://oauth.net/2/

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.