How to get an unlimited number of test users?
Test OpenID Connect authenticated applications with randomly generated users.
Testing an authenticated application is rather difficult; to do so, you normally need several pre-generated test users. Additionally, if you test an application using a third-party identity provider, the test users have to be generated by the given identity provider (Facebook, Google, etc.)
Ideally, the test users are automatically generated by the third-party identity provider in the first steps of the testing process, and deleted after the test has been run. Even if the identity provider allows you to carry out such an operation, you will need special rights to do so.
Fake identity provider
In general, applications using a third-party identity provider can use several third-party providers, that is, they integrate more than one third-party identity providers. Certain identity providers integrate several third-party identity providers by default, thus removing the burden of integration of the application developers.
That is, integrating another identity provider for testing purposes won’t cause serious difficulties, especially if that provider is a standard OpenID Connect provider. Consequently, a possible solution for managing test users is integrating and using a special fake identity provider.
The test can generate any number of test users required for the given test in the preparatory phase, and once the test is over, it can delete them. The application will recognize the fake identity provider as an OpenID Connect provider, that is, as any other provider.
By the use of an authentication integrator service (e.g. Auth0, Amazon Cognito, Azure AD B2C, etc.), the fake identity provider can be integrated without introducing any change to the application.
Random user generator
To generate random users, especially in a high volume, you are advised to use a random user generator tool or service. In the preparatory phase of a test, you can load the users generated by the random user generator into the fake identity provider, and once the test is run successfully, you can delete said users.
Fake identity generator
What if you combine a random user generator and a fake identity provider? The fake identity generator produced this way could be used for generating and authenticating random users with the OpenID Connect protocol. If the users are generated in a deterministic way, on the basis of a login name, you do not need to store their data, as the users can be re-generated at any time.
Unlimited number of test users
When using a fake identity generator, a test can run with an unlimited number of test users without having to produce these test users, as the fake identity generator automatically generates and authenticates a user to any selected login name. The test can also get the test user associated with a given login name from the fake identity generator, if necessary.
Is it theoretical?
No. Testing authenticated applications is a real issue, to which I tried to find a real solution. The fake identity generator called PhantAuth was developed on the basis of the above thoughts and ideas. PhantAuth is the combination of a random user generator and an OpenID Connect provider. The service, available free of charge, is accessible at: https://www.phantauth.net
Best practice
If you use third-party authentication, you are advised to integrate large identity providers (Facebook, Google) directly, while smaller identity providers can be integrated by the use of an integrator service (e.g. Auth0). For testing purposes, it is recommended that you integrate the PhantAuth fake identity generator in the relevant (dev or test) environment via an authentication integrator, without any changes made to the application.
