I am trying to automate tests for an authentication module that is used in back end services that serve requests on behalf of a user and does things with the user’s claims. I need to exchange username and password for a bearer token for said tests. My problem is twofold:
- It seems like it should be unnecessary to wrap my module in a dummy service and handle redirects for pretty simple tests.
- api/v1/authn, as documented here - Authentication | Okta Developer always responds with 401 code and a simple “Unauthorized” in the body, without error details, regardless of whether I provide valid or invalid credentials.
For this type of use case, the approach that is recommended is to set a very long refresh token lifetime and use the authorization code flow to retrieve the tokens.
When authenticating initially, include the offline_access scope, to retrieve the access, ID and refresh token. When the access token expires, you can use the refresh token to make a call to the /token endpoint to retrieve new tokens and continue to refresh it with the token. This still does require the initial user authentication for the token. After that point, the refresh token can be used to retrieve new tokens with user context without requiring authentication with the user.