Skip to content

curityio/zero-trust-api-testing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

OAuth Zero Trust API Testing

A simple Java REST API implemented using Spark Java.
The API uses an OAuth filter to implement its JWT validation on every request.
The API then uses claims to implement its business authorization.

The API's integration tests use a JOSE library to create JSON Web Keys.
This enables the tests to productively issue mock access tokens as any user.
A JWKS endpoint is spun up to expose the mock token signing public key.

Mock access tokens have the same contract as real access tokens.
During integrating tests, the API makes all of the correct OAuth security checks.
The techniques demonstrated can also be used in any other API technology stack.

API Endpoints

The root path is unprotected. Other endpoints of this example are /api/products and /api/products/<1-5>, which all require authentication. If the request to those endpoints lacks a valid JWT token, then the server will return 401.

The authorization rules use the claims from the access token, namely the country and subscription_level claims. The endpoint /api/products returns a list of products depending on the country claim in the access token. The list may be empty. The endpoint /api/products/<1-5> returns the product details if the user has a valid (non-empty) subscription_level claim. Exclusive products (2,5) require a premium subscription. Checkout the Working With Claims Tutorial for how to configure claims for access tokens in the Curity Identity Server.

If the user is not authorized to access the resource, i.e. the JWT is missing a valid subscription level or the user tries to access a product from a different country, then the server will return 403. If the resource cannot be found, e.g. the product with the given ID does not exist, then the server will return 404. Have a look at se/curity/examples/products/ProductServiceMapImpl.java for the details of the provided example data.

Run the API

To build this project, ensure that JDK 17 or above, and the Maven build tool, are both installed.
Then run the following command to build the API code into a single JAR file in the target folder:

mvn package -DskipTests

The API can then be run with this command.
The running API points to a JWKS URI at http://localhost:8443/oauth/v2/oauth-anonymous/jwks.

java -jar target/zero-trust-api-example-3.0.0.jar

Call a secured endpoint and you will get a 401 response:

curl -i http://localhost:9090/api/products

Test the API

While the API is running, use maven to run JUnit integration tests:

mvn test

Integration tests create JSON Web Keys and use the private key to issue JWT access tokens for testing.
Wiremock is used to expose the JSON Web Key Set at http://localhost:8443/oauth/v2/oauth-anonymous/jwks.
The running API therefore trusts tokens received.
The test results are output to the console and would be run frequently for a real API:

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Results:
[INFO] Tests run: 25, Failures: 0, Errors: 0, Skipped: 0

More Information

For more information about the Curity Identity Server, please contact Curity.
You can find more examples, tutorials and articles in Curity's Resource Library.

Copyright 2023 Curity AB

About

An example that shows how to develop and test a zero trust api.

curity.io/resources/learn/testing-zero-trust-apis

Topics

testing api oauth2 scopes claims jwt-validation code-example

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages