Skip to content

Steps Given Authentication

Jörg Flade edited this page Jun 24, 2026 · 3 revisions

Given — Authentication


Setting Users

Given that the following users and tokens are existing
  | john_doe   | my_auth_token_for_john_doe   |
  | johana_doe | my_auth_token_for_johana_doe |

Registers a map of username → Bearer token for the scenario.

After the map is registered, activate a user with:

Given that the user is "john_doe"

The library selects the matching token and uses it for all subsequent authorized requests.

Typical pattern — define both in Background so all scenarios share the same default user:

Feature: User management

  Background:
    Given that the following users and tokens are existing
      | john_doe   | my_auth_token_for_john_doe   |
      | johana_doe | my_auth_token_for_johana_doe |
    And that the user is "john_doe"

  Scenario: John can fetch his own profile
    When executing an authorized GET call to "/api/v1/users/me"
    Then I ensure that the status code of the response is 200

  Scenario: John cannot access Johana's profile
    When executing an authorized GET call to "/api/v1/users/johana_doe"
    Then I ensure that the status code of the response is 403

  Scenario: Switch to Johana for her own request
    Given that the user is "johana_doe"
    When executing an authorized GET call to "/api/v1/users/me"
    Then I ensure that the status code of the response is 200

See examples at bdd-cucumber-gherkin-lib/src/test/resources/features/user/


Set the Bearer Token Dynamically

Given that the Bearer token is {string}

Sets the Bearer token directly. The value is first looked up in ScenarioContext — if a matching key exists, the stored value is used; otherwise the literal string is used as the token.

Scenario: Use a hardcoded token
  Given that the Bearer token is "eyJhbGciOiJIUzI1NiJ9..."
  When executing an authorized GET call to "/api/v1/users/me"
  Then I ensure that the status code of the response is 200

Scenario: Use a token stored in context (e.g. from a login response)
  # Assuming DYNAMIC_TOKEN was stored by a previous step
  Given that the Bearer token is "DYNAMIC_TOKEN"
  When executing an authorized GET call to "/api/v1/users/me"
  Then I ensure that the status code of the response is 200

See examples at bdd-cucumber-gherkin-lib/src/test/resources/features/header/


Set the Bearer Token From application.yaml

The library supports two pre-configured Bearer tokens that are set once in application.yml / application.properties and reused across all scenarios:

Config key Purpose
default A token with valid scopes/authorities — used automatically for all authorized steps
noscope A token without valid scopes — used for negative security tests

Configure them in bdd-cucumber-gherkin-lib/src/test/resources/application.yml:

cucumberTest:
  authorization:
    bearerToken:
      default: "eyJfgEiooIfS[...]Bs_sadf4de"
      noscope: "eyJhbGciOiJI[...]V_adQssw5c"

Or in application.properties:

cucumberTest.authorization.bearerToken.default=eyJfgEiooIfS[...]Bs_sadf4de
cucumberTest.authorization.bearerToken.noscope=eyJhbGciOiJI[...]V_adQssw5c

By convention, any step containing an authorized in its name uses the default token automatically. No extra configuration step is needed in your feature files for the normal case.


Define That a Token Without Scopes Should Be Used

Given that a bearer token without scopes is used

Switches all subsequent authorized steps to use the noscope token configured in application.yaml.

Use this for security tests that verify endpoints reject tokens without the required scope or authority:

Feature: API security

  Background:
    Given that all URLs are relative to "/api/v1"

  Scenario: Endpoint accepts valid scoped token
    When executing an authorized GET call to "/protected-resource"
    Then I ensure that the status code of the response is 200

  Scenario: Endpoint rejects token without required scope
    Given that a bearer token without scopes is used
    When executing an authorized GET call to "/protected-resource"
    Then I ensure that the status code of the response is 403

  Scenario: Admin endpoint requires admin scope
    Given that a bearer token without scopes is used
    When executing an authorized GET call to "/admin/settings"
    Then I ensure that the status code of the response is 403

The token must be configured in application.yaml under cucumberTest.authorization.bearerToken.noscope. See Configuration for setup.

Clone this wiki locally