I have a Firebase account that I basically just use for Authentication. It runs inside a Spring Boot that simply verifies them Using OAuth2Resource. In the production environment, Users have to verify their e-mail address and enable TOTP verification. But for testing I would like to simply create fake random profiles at the press of a button. I'm not sure how exactly to implement this but I was thinking of either disabling the signature verification on the tokens (Allowing me to simply add whatever claims myself) or figuring out some way to create an embedded JWT authority that replaces firebase (but then you wouldn't be able to test sign in flow in testing). But there is no information on how to do either (or anything else) anywhere. So how can I create fake JWTs or Sign Ins in my test environment?
You should keep the runtime security configuration which might include some stuff that should be covered in tests (like access control with authorizeHttpRequests/authorizeExchange or method security enabling), not create a different one for tests.
Mock solely the:
JwtDecoder: there is no authorization server to issue valid JWTs and expose the JWK-set for the decoder to validate itAuthentication instance in the test security contextspring-security-test provides some MockMvc request post-processors and WebTestClient mutators for OAuth2. In the case of a resource server with a JWT decoder, respectively SecurityMockMvcRequestPostProcessors.jwt() and SecurityMockServerConfigurers.mockJwt(). You might refer to this Baeldung article for complete samples and instructions.
But the above have serious limitations:
MockMvc or WebTestClient are used to query a @Controller (integration tests with @SpringBootTest and @AutoConfigureMockMvc/@AutoConfigureWebTestClient or unit tests with @WebMvcTest/@WebfluxTest)Authentication factory behind it don't use the authentication converter in the application context:
Authentication implementation: JwtAuthenticationToken, which can be a problem when security expressions rely on a specific implementationspring-addons-oauth2-test provides test annotations that remove all the limitations above with the only constraint that when using a custom authentication converter it should be exposed as bean (and not inlined in the filter-chain definition as a lambda) for the test authentication factory to use it.
Sample taken from the Baeldung article already linked:
@Test
@WithJwt("ch4mpy.json")
void givenUserIsCh4mpy_whenGetSecuredMethod_thenOk() throws Exception {
final var secret = "Secret!";
when(messageService.getSecret()).thenReturn(secret);
api.perform(get("/secured-method"))
.andExpect(status().isOk())
.andExpect(content().string(secret));
}
ch4mpy.json being a file in test resources. It contains a subset of a token payload. In your case, this would probably be enough:
{
"iss": "https://accounts.google.com",
"sub": "10769150350006150715113082367",
"email": "ch4mpy@example.com",
"email_verified": "true",
"scope": "openid email"
}
Use a different OpenID Provider that you can embed in a container with its user database.
Keycloak can fit that purpose if you provide it with a realm and users as done in this other Baeldung article.
With some more work, you might be able to do about the same thing using Spring Authroization Server.
spring-addons-starter-oidc can be of great help to switch from an OpenID Provider to another by changing just application properties (switching between Spring "profiles").
I am the author of:
spring-security-testspring-addons-oauth2-testspring-addons-starter-oidc