Kinde
Log in

Welcome to the Kinde community

Updated 2 months ago

Automated authentication to get cookies before running api integration test

At a glance

The community members are discussing a way to automate authentication and obtain cookies before running API integration tests in a CI/CD environment. The initial response suggests using Postman to generate a token, but the community member notes that this is not applicable for their CI/CD setup. The senior developer explains that for authentication using PKCE or Authorization Code, a headless browser is required, which is unstable in a CI/CD environment. They suggest using a machine-to-machine (M2M) access token to represent a user token for testing, and the product manager follows up to understand the community member's authentication setup and testing requirements.

The community member clarifies that they are focused on testing user authentication flows, specifically using email and password authentication in a NextJS app router. They need to simulate a logged-in user for their integration tests, as some tests contain data ownership validation at the user level. The product manager suggests exploring the use of refresh tokens and offline sessions for Playwright-based tests, as other customers have implemented this approach to solve similar use cases.

There is no explicitly marked answer, but the community members are actively working to find a solution that meets the community member's requirements.

AAlex
·

Hey Guys is there a way to make a automated authentication to get cookies before running my api integration test before deployment ?

1
P
A
C
21 comments
PPlain

Hi Alex. I'll need to refer this one to the team.
Can you tell me what SDK/framework you are using, and the version. Will help me identify the right person to ask.

AAlex

i'm using Nextjs app router v2.3.4

CClaire Mahoney

Hey Just asking the team. Hope to have an answer soon.

CClaire Mahoney

An initial response to this is - you can use Postman (or similar) to generate a token before testing. See this doc. Does this cover your needs?

AAlex

yeah i know that but actually our testing run within a ci/cd job
so this is not applicable

CClaire Mahoney

Ah okay . Let me refer back to the team again.

CClaire Mahoney

Hi here's the answer from one of our senior devs.

Unfortunately, for authentication using PKCE or Authorisation Code, you need a browser to enter credentials to obtain an access token.

In a CI/CD job, the only way to achieve that would be to have a headless browser running. which is notoriously unstable.

For Client Credentials grants (machine to machine), no browser is required, so that's fine to do in a CI/CD job.

I believe a few other customers have asked for an access token that represents a Kinde end-user they can use for testing. We probably need to build something similar to what Auth0 have.
What I can do right now is raise this with our product manager, and add your voice to the existing requests (Squeaky wheel and all that). I can come back to you if it looks like we're able to prioritize it. But do ask again if you don't hear anything.

OOliver Wolff

Hey ,
Its me the Product Manager here (Claire's squeaky wheel worked).

I would love to know more about your authentication setup and ideal testing logic you want to implement in your CI/CD.

I have a few questions:

  1. Do you want to have testing of the user authentication flows, or M2M token flows?
  2. If user authentication, what authentication methods do you have in your flow? And which methods do you want to test in your flow (all of them)?
  3. As Claire said, other customers have used a M2M access token to represent a user token for testing. You can add similar roles, permissions and other claims in the M2M access token to replicate a user access token. Would this satisfy your use-case?

Looking forward to hearing back from you.

AAlex

Hi
Thank you for reaching out!
Regarding your questions:

  1. Our focus is on testing user authentication flows, not M2M token flows.
  2. We are currently using nextjs app router sdk and i believe its session-based authentication in our flow.

The purpose of the tests is to run integration tests that trigger APIs, and we need to make sure that the API flow and response are working correctly. To do this, it’s essential that the tests simulate a logged-in user and we do not want to stop the middleware to do it because some test contains data ownership validation on user level.
Looking forward to your thoughts!

OOliver Wolff

Hey ,
Apologies for the delayed response here.
Thanks for elaborating on your use-case.

Are you able to let me know the authentication methods shown to your users when authenticating with your platform?

AAlex

sure we are using email + password method

OOliver Wolff

Thanks for the quick reply Alex.
I will discuss this with my team and get back to you by the end of the week.

AAlex

Thank you

PPlain

Hey ,
Just letting you know we are still discussing your use-case internally.
I will continue to update you when I have more information.

Are you currently blocked by this?

AAlex

Hey
thanks for the update
actually all ci tests are now failing due to this token
so its a key feature for us currently!
thank you

OOliver Wolff

Hey Alex,

I understand this is blocking you, sorry to hear this.

I am still discussing this with my team.
We are exploring ways to solve your CI/CD test use-case.
I will get back to you when I have more info.

OOliver Wolff

Hey ,
Are you using any testing packages, e.g. playwright or cypress?

AAlex

yes we are using playwright!

OOliver Wolff

Hey ,
A few other customers have implemented tests with Kinde using playwright by establishing an offline session for a user via the one-off in-browser sign-in, with use of the refresh tokens.

I would suggest having a read of this doc and letting me know if this solves your use-case.

AAlex

Hey gonna give it a try!

OOliver Wolff

Let us know how you go!

Add a reply
Sign up and join the conversation on Slack