-
Notifications
You must be signed in to change notification settings - Fork 2
Steps Given Authentication
- Setting Users
- Set the Bearer Token Dynamically
- Set the Bearer Token From application.yaml
- Define That a Token Without Scopes Should Be Used
Given that the following users and tokens are existing
| john_doe | my_auth_token_for_john_doe |
| johana_doe | my_auth_token_for_johana_doe |Registers a map of username → Bearer token for the scenario.
After the map is registered, activate a user with:
Given that the user is "john_doe"The library selects the matching token and uses it for all subsequent authorized requests.
Typical pattern — define both in Background so all scenarios share the same default user:
Feature: User management
Background:
Given that the following users and tokens are existing
| john_doe | my_auth_token_for_john_doe |
| johana_doe | my_auth_token_for_johana_doe |
And that the user is "john_doe"
Scenario: John can fetch his own profile
When executing an authorized GET call to "/api/v1/users/me"
Then I ensure that the status code of the response is 200
Scenario: John cannot access Johana's profile
When executing an authorized GET call to "/api/v1/users/johana_doe"
Then I ensure that the status code of the response is 403
Scenario: Switch to Johana for her own request
Given that the user is "johana_doe"
When executing an authorized GET call to "/api/v1/users/me"
Then I ensure that the status code of the response is 200See examples at bdd-cucumber-gherkin-lib/src/test/resources/features/user/
Given that the Bearer token is {string}Sets the Bearer token directly. The value is first looked up in ScenarioContext — if a matching key exists, the stored value is used; otherwise the literal string is used as the token.
Scenario: Use a hardcoded token
Given that the Bearer token is "eyJhbGciOiJIUzI1NiJ9..."
When executing an authorized GET call to "/api/v1/users/me"
Then I ensure that the status code of the response is 200
Scenario: Use a token stored in context (e.g. from a login response)
# Assuming DYNAMIC_TOKEN was stored by a previous step
Given that the Bearer token is "DYNAMIC_TOKEN"
When executing an authorized GET call to "/api/v1/users/me"
Then I ensure that the status code of the response is 200See examples at bdd-cucumber-gherkin-lib/src/test/resources/features/header/
The library supports two pre-configured Bearer tokens that are set once in application.yml / application.properties and reused across all scenarios:
| Config key | Purpose |
|---|---|
default |
A token with valid scopes/authorities — used automatically for all authorized steps |
noscope |
A token without valid scopes — used for negative security tests |
Configure them in bdd-cucumber-gherkin-lib/src/test/resources/application.yml:
cucumberTest:
authorization:
bearerToken:
default: "eyJfgEiooIfS[...]Bs_sadf4de"
noscope: "eyJhbGciOiJI[...]V_adQssw5c"Or in application.properties:
cucumberTest.authorization.bearerToken.default=eyJfgEiooIfS[...]Bs_sadf4de
cucumberTest.authorization.bearerToken.noscope=eyJhbGciOiJI[...]V_adQssw5cBy convention, any step containing an authorized in its name uses the default token automatically.
No extra configuration step is needed in your feature files for the normal case.
Given that a bearer token without scopes is usedSwitches all subsequent authorized steps to use the noscope token configured in application.yaml.
Use this for security tests that verify endpoints reject tokens without the required scope or authority:
Feature: API security
Background:
Given that all URLs are relative to "/api/v1"
Scenario: Endpoint accepts valid scoped token
When executing an authorized GET call to "/protected-resource"
Then I ensure that the status code of the response is 200
Scenario: Endpoint rejects token without required scope
Given that a bearer token without scopes is used
When executing an authorized GET call to "/protected-resource"
Then I ensure that the status code of the response is 403
Scenario: Admin endpoint requires admin scope
Given that a bearer token without scopes is used
When executing an authorized GET call to "/admin/settings"
Then I ensure that the status code of the response is 403The token must be configured in application.yaml under cucumberTest.authorization.bearerToken.noscope.
See Configuration#base-token-definition for setup.