OAuth 2.0
// Definition
An open delegation protocol that lets users grant third-party applications scoped access to their resources without sharing their password. OAuth 2.0 defines four grant flows — Authorization Code (web apps), Client Credentials (server-to-server), Device Code (CLI tools / TVs), and PKCE (mobile apps). QA engineers test OAuth flows by validating token exchange, scope enforcement, refresh token behaviour, and failure modes like expired tokens, insufficient scopes, and revoked access.
// Why it matters
OAuth lets an app act on a user's behalf without their password, via scoped, expiring tokens. QA tests the boundaries: that a token only grants its granted scopes, that it expires, that the redirect/callback can't be hijacked, and that revocation actually revokes.
// How to test
// A token scoped to read:profile must NOT perform a write
cy.request({
method: 'DELETE',
url: '/api/posts/55',
headers: { Authorization: `Bearer ${readOnlyToken}` },
failOnStatusCode: false,
}).its('status').should('eq', 403) // scope enforced server-side
// Expired token is rejected
cy.request({ url: '/api/me', headers: { Authorization: `Bearer ${expiredToken}` }, failOnStatusCode: false })
.its('status').should('eq', 401)// Common mistakes
- Trusting the scope claim client-side but not enforcing it on the server
- Loose
redirect_urimatching (opens token theft via open redirect) - Treating OAuth (authorization) as if it proved identity (that's OIDC's job)
// Related terms
JWT
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
RBAC
Role-Based Access Control — a permission model where access rights are assigned to roles, and users inherit permissions by belonging to one or more roles. A `viewer` role can read resources; an `admin` role can create, update, and delete. In API testing, RBAC tests verify that each role can reach only the endpoints it should: a viewer calling `DELETE /content` should get a 403, not a 200. Broken access control at the object and function level is consistently in the OWASP API Security Top 10.
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.