-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth implementation testing spec #4982
Comments
@jamakase does this make sense to have as a UI test? |
After spending some time on this, I'm fairly confident that automated CI testing OAuth flows will be impossible (or if not impossible, then a constant battle of cat and mouse). Google (and I'm sure other platforms) recognise bot usage (either pure programmatic requests or Selenium) and request a captcha to sign in. Even if we can trick the provider into thinking our ci bot is human, it would only be a matter of time before that exploit is patched and tests begin failing (hence cat and mouse). I'm not even confident we could trick it with our tests running from EC2 instances, giving services an easy indication that this could be a bot based on their IP. Unless anyone sees something I'm missing, I'm ruling out bot-driven E2E for this and re-thinking with different approaches. |
Had an idea about using saved serialised cookies so we're already logged in and therefore a bot doesn't have to go through that flow. We don't care about testing the provider's login flow so skipping this seems fine. Going to high-level investigate feasibility of this, if it looks good then probably will form basis of approach in RFC. Expected possible issue: regen of these cookies will (probably) need to be manual. If time to expiration is short, this could mean manual regen every time we run integration tests for the connector. |
It might help to break down our nebulous goal of "make sure oauth works" to components. Holding fixed the oauth-backed integration we're testing our goals could be:
I think the very hard one to do is 2 so we may just want to skip it. We might be able to get "good enough" results with testing 1 and 3. The trick will then be: how can we set this up such that a developer who is adding or modifying the oauth-based connector can get their changes all the way into Cloud prod with confidence? We might want to add per-connector acceptance tests that are run when releasing a connector into cloud which verify the above assertions It would probably really help to have a real secret store backing oauth in the server as well, because then we can read the client ID/secret actually in production. But it's not a requirement |
Tell us about the problem you're trying to solve
We need to have a way for verifying that oauth implementations with our Airbyte apps are working correctly. We'll need integration tests which, given Airbyte's app ID /client secret for each connector, perform an auth flow and verify it succeeds.
Describe the solution you’d like
An integration test for each connector which verifies that given valid oauth seed credentials, an auth flow happens successfully.
This would probably need to be an E2E UI test?
The initial output of this ticket should be a short RFC describing how we should setup tests which guarantee that our oauth implementations are working.
The text was updated successfully, but these errors were encountered: