How I automatically test .Net Core controller methods that require Authorization with Postman

The purpose of this post is to explain how to automatically log in to your Identity Provider and run your controller tests.

Prerequisites

• You have a .NET Core API configured to connect to your Identity Provider (does not need to be Identity Server 4)
• You are familiar with sending requests in Postman

Client Configuration

Fig 1 IdentityServer4 client configuration — Note the GrantType

Postman will act as the client app trying to authenticate and authorize. You configure it in the Config.cs class of your Identity Provider.

In my case I have an API that´s called festivalsapi to which we want to gain access with our token.

GrantType.ResourceOwnerPassword: This grant type should not be used in production, but it is this configuration setting that allows us to log in and get a bearer token without having to open a browser window and type in our username and password.

User Configuration

In my case I have 2 roles I want to test. I define a user with an “Organizer” role and one with an “Admin” role. These will be my users to log in on the Identity Provider and call information on the API that requires this role.

Fig 2 IdentityServer4 test user configuration

Resource Configuration

Fig 2 IdentityServer4 client configuration

Here you define the APIs you want to add to your IDP.

Configure your API

To configure your API all you have to do is the following:

1. Install-Package IdentityServer4.AccessTokenValidation
2. Add UseIdentityServerAuthentication middleware to your Startup.cs — Configure method — before UseEndpoints (important).
3. Make sure your APIName matches the API name from Config.cs on your Identity Provider.

Fig 3 API configuration

Fig 4 API configuration

[Authorize] Protected Controller Method

The only relevant thing is that only a user with the “Festival_Admin” role can access this PATCH method. If you want to learn how to implement Policies instead of Roles let me know.

Postman Configuration

Now the juicy part!

Because we configured Postman to get it´s Bearer Tokens with the GrantType.ResourceOwnerPassword we can now pass the Username and Password in the Body.

To automate this whole testing process the order of operations looks as follows:

1. Sign in the users you want to test with
2. Store the bearer token for each logged in user in the environment variables
3. Run tests and retrieve the bearer token when necessary

Body to request a Bearer Token for a user without a role

Body to request a bearer token for a user with “Admin” role

I use the Tests tab to store the bearer token that was retrieved

Storing the bearer token

Now I can test the controller methods that require authorization. Here I set the Authorization to Bearer Token. And retrieve the environment variable I stored with {{AdminToken}}

I test if the PATCH method returns a status code 204, then I know that the Authorization succeeded.

I test if the PATCH method returns a status code 403, then I know that the Authorization failed.

Automatically Run all Tests with Postman Runner

I use the Postman Runner to run all my tests. The order in which tests run is important.

1. Select which request collection you want to run
2. Select the environment where you stored your bearer tokens as variables
3. Run the authorization requests before all others

After running the festival we can see the Token requests ran first. I even added a request without an authorization header to get a 401 Unauthorized code.

And that´s how you can automatically run all controller tests on postman without having to log in. I would recommend using this method only in your development environment as you don´t want to allow anyone to log in with the GrantType.ResourceOwnerPassword grant.