Testing Integromat Using Integromat? How We Built An OAuth2 Server Using Only A Few Scenarios
As we grow bigger and bigger, our ability to test all of our features manually is becoming less likely. That’s why we’re now doing automated tests of our infrastructure, including our GUI, to ensure that everything works just fine for our customers. But, how do we test features that require third-party services to work, like those with OAuth2 connections?
Testing Integromat via Integromat
For testing services that require remote interaction, like connections, we would need to mock that remote end somehow. Of course, we could create a microservice for that. But is that worth the hassle? Do we need to have another service to develop and manage?
Creating such a service would require setting up tests and a deployment process. We’d need to host it somewhere and create a separate database for the service. Overall, even though the service itself would be quite simple, the process from coding the service to its real deployment would take an unnecessarily long time.
That brought us to an idea. Would it be possible to use Integromat to test itself?
Could we use it to create a set of scenarios, that would act like an OAuth2 server? This way wouldn’t require any DevOps interaction. The development process would be simple and straight forward with almost no coding after all. There would be no need for any extra libraries to do this job. And, you can see what’s happening inside your server at any moment. Yes, let’s create an OAuth2 server in Integromat!
Just a Set of Webhooks
Now, let’s take a closer look at how the mocked server works. All the scenarios are composed mainly of three applications, Webhooks, Datastores, and Routers. There are three core scenarios — Authorize, Authorize backend, and Token scenario.
For those of you that know at least the basics of how OAuth2 works, these scenarios handle the Authorize and Token endpoints. Then there are several support scenarios for verifying the connection and the given scopes, and also for invalidating tokens. There’s also one maintenance scenario that removes expired tokens from the Datastore automatically.
Authorize
So, what can we see in the Authorization part? We have a separate Datastore for the registered OAuth2 clients that is available. Once the request comes to the Authorization endpoint, the scenario verifies that the client ID is registered. Then it checks the Redirect URI and requested response type.
At that moment, only the “Code flow” is implemented. The scenario then iterates over all requested scopes and checks that these scopes are supported. When all those checks pass, it responds with an authorization pop-up, that you may know from authenticating with your Google Account.
Authorize Backend
After the user or the robot that’s running the test grants access in the pop-up from the previous step, the backend part of the authorization process starts. It’s quite short. Its job is to generate the authorization code and then to redirect the user to the provided Redirect URI. Then, the token flow fires up.
Token
The Token scenario is the most complicated one. That’s because it handles exchanging the code for a token pair as well as refreshing those tokens. It starts by checking the client ID and client secret from the request body. When those keys don’t match, the scenario throws an error.
Then it decides whether to generate a new pair of Access Token and Refresh Token or if it should refresh the existing ones. That depends on the grant type parameter in the request body. When generating a new pair of tokens, the scenario checks the authorization code from the request and tries to pair it with the client. Also, the Redirect URI check runs again. When there are no verification issues, the scenario generates a new Access Token and a new Refresh Token and stores it into corresponding Datastores. It also deletes the authorization code that it has just used. It sets the default expiration times of both tokens and then sends the response back to the sender.
The Refresh flow is quite similar to the first one, except there’s no code check. Instead, the scenario checks the provided Refresh Token and its expiration time. The rest is the same.
Operation Count
A successful OAuth2 authorization including, both authorization and token calls, eats about twenty operations, depending on the count of scopes. The token refresh requires eight more.
To Code or Not To Code
What are the real advantages of having an OAuth2 server mocked by Integromat then?
The speed of development. Definitely. Instead of having to create a new project and its repository, we have just created a new scenario and started composing. There was no configuration of tests, builds, or deployment. And most importantly, no coding at all. It took only a few hours and one developer to build the whole scenario set using only inbuilt features.
Another great advantage is the graphical representation of the whole server. All scenarios look clear and readable, modules and filters have labels by their purpose. They could even be used to teach how OAuth2 works. We can review every single performed call in the scenario history and see what exactly happened. And of course, we can modify the scenario at any time without having to pass through the deployment process again.
The same with the data. We store all the mocked tokens and IDs in several Datastores where they are easily accessible. We can check and edit them without having to access a remote database.
And one more thing. We can say, that Integromat is capable of running a fully-featured OAuth2 server, that’s built only from an assortment of basic modules. Another case that only demonstrates the power of the Integromat platform.
If you’re brave enough, you can create a whole custom API, integrating all the services you need, now even with the OAuth2 security layer.
Bring all your tools together with Integromat, a web-based tool to connect apps and automate workflows using a beautiful, no-code visual builder. The inbuilt HTTP app enables you to connect to any web service or API without writing a single line of code.
Integromat’s free plan comes with all its powerful features; give it a go and you might just fall in love.
