- Jeff Fillegar
- Posts
- How to Automate Testing for .NET APIs with JWT Authentication and Role Based Authorization
How to Automate Testing for .NET APIs with JWT Authentication and Role Based Authorization
What are we testing?
A set of .NET 5 APIs with JWT Authentication and Role Based Authorization
How are we going to test and validate the APIs?
I will be using Tosca’s NoCode Visual Test Designer for building automated test cases to validate the APIs functionality.
The Loan Application Approval Process API
The Loan Manager API has the following API endpoints that we will need to test for the Role Based Loan Approval Process Workflow
Authenticate – returns a JWT access token with claims
GetLoansPendingApproval – Gets list of LoanApplications pending approval
GetCustomerLoanDetails – Gets Customer Loan Application details
UpdateLoanApplicationStatus – Updates LoanApplicationStatus
CheckLoanApplicationStatus – Gets LoanApplicationStatus
AcceptLoanTerms – Customer agrees and accepts loan terms
Roles in scope for testing
SuperAdmin
UnderWriter
SalesManager
SalesAgent
Customer
The LoanManager.API technology stack:
Visual Studio 2019
.NET 5 Web API
JWT Tokens
ASP.NET Identity and EF Core
Implemented for ASP.NET Identity Tables
AutoMapper
ADO.NET
YES! We still love ADO.NET.
SQL Server 2019
Stored Procedures
Swagger REST API documentation
What will we be validating with test automation?
We will automate the validation of the loan approval process that has been implemented via the LoanManagerAPI.Swagger File:
Why are we using test automation?
Multiple permutations shall exist for the loan approval process. For example, customer personas with different credit scores,income levels, loan amounts, interest rates, and terms. For this tutorial we will limit the scope to 3 personas with3 different loan approval workflows that validate the core business process to approve, accept, and reject a loan application.
.NET 5 APIs using JWT Tokens for Authentication
Let’s examine the Authentication and Authorization user stories we have in scope:
User Story 1: AuthenticateUser
API Endpoint to authenticate known user; returns access token if user is knownEach API endpoint in the Loan Approval Process requires the Bearer Token in the header
Loan Approval Process Workflow
Now let’s examine the Role Based Loan Approval Process user stories we have in scope:
User Story 2: LoanApplicationApprovedAccepted
This process is invoked from customer website. We will be automating the validation of this user story via the API.
Customer submits loan application
LoanStatus = Submitted
Underwriter begins loan approval process
LoanStatus = Reviewing
Underwriter approves loan unconditionally
LoanStatus = Approved
Customer accepts loan terms
LoanStatus = Accepted
User Story 3: LoanApplicationApprovedRejected
This process is invoked from customer website. We will be automating the validation of this user story via the API.Customer’s loan application is approved; however, customer rejects the terms and conditions.
Customer submits loan application
LoanStatus = Submitted
Underwriter begins loan approval process
LoanStatus = Reviewing
Underwriter approves loan unconditionally
LoanStatus = Approved
Customer accepts loan terms
LoanStatus = Rejected
User Story 4: LoanApplicationDenied
This process is invoked from customer website. We will be automating the validation of this user story via the API.Customer’s loan application is approved; however, Underwriting rejects the loan application.
Customer submits loan application
LoanStatus = Submitted
Underwriter begins loan approval process
LoanStatus = Reviewing
Underwriter denies loan application
LoanStatus = Denied
Tosca API Scan Test Case 1: VerifyAuthenticatedUser
This API requires the email and password of a known user.Request View:
Click Run. And you will see the results of the Response.
In the Payload Tab we can see that we got back a valid response and the access_token is populated.This is the Bearer token we will use in order to call the next APIsResponse Tab: