Check Out the Latest News About SmartBear Connect
JOIN OUR WEEKLY CHALLENGE
API_Bloom_banner

API Bloom is a weekly prize-winning challenge in the Ready! API Community. Each week, we assign a task that you need to accomplish to become a winner. See the rules here.

THIS WEEK TASK
Give the biggest number of Solutions on the Ready! API forums
Top 3 contributors will get $50, $35, and $15 gift cards!

WEEK 1-12 WINNERS
@nmrao, @msiadak, @Debz, @richie, @Emil91, @PramodYadav, @jkrier, @sanj, @mbheeke, @Radford, @kmaster, @kbw

Reply
Highlighted
New Contributor
Posts: 2
Registered: ‎06-19-2017

Authorization with OAuth2.0 implicit grant: Delete cookie/log out

So I am doing authorization with OAuth2.0 implicit flow. With one profile it works really well.

But now I am creating api access tests where I need to use another user profile. So naturally I create another profile and everything works perfectly except that SoapUI seems to send a cookie, belonging to the first profile, to the identity server. The identity server then "thinks" I am already logged in so it doesn't ask for username+password and gives me another token belonging to the first profile.

 

So I have been trying to clear all the cookies with a groovy script but I have not been able to access them. It seems to me that these specific cookies are not accessable by groovy, could that be true?

 

Any solutions?

Moderator
Posts: 156
Registered: ‎03-17-2016

Re: Authorization with OAuth2.0 implicit grant: Delete cookie/log out

Hi,

 

Thank you for your post. 

Currently, the Internal browser opens with the existing (current) session, so you cannot re-log in with different credentials - the access token returned by the server will still be for the previous user (profile). We have a corresponding task in our backlog to fix this behavior. 

A workaround for the issue is restating Ready! API.So, the process can be the following:
1. Write a script to get a token for your request and specify different credentials for the first and for the second user. 
2. Run the script for the first user and get an access token.
3. Restart Ready! API and run the script for the second user. 

Anastasia
Customer Care Team

API_Bloom

New Contributor
Posts: 2
Registered: ‎06-19-2017

Re: Authorization with OAuth2.0 implicit grant: Delete cookie/log out

Thanks for the reply Nastya.

It is nice to know that this behavior will be changed in the future.

 

Right now my temporary solution is to have a 1 sec lifetime on the cookies and a groovy script step that sleeps for 1 sec whenever I need to change a user profile. This is not ideal because now my tests are slow and I need to have a special version of the identity server that sets cookies with 1 sec lifetime.

 

I am not sure this matters but I am using the open source SoapUI so I guess I meant to post this in another forum..(SMARTBEAR COMMUNITY : OPEN SOURCE TOOLS : SOAPUI OPEN SOURCE)

 

 

Also just to make 100% sure we are on the same page(which it actually seems like to me): I am not manually fetching the token with a groovy script myself but I am using the SoapUI authorization feature for the implicit flow with an automation script for the login.

Untitled3.png

Moderator
Posts: 156
Registered: ‎03-17-2016

Re: Authorization with OAuth2.0 implicit grant: Delete cookie/log out

Hjalti,

 

Thank you for sharing your solution with us!

Yes, if you use SoapUI open source you need to post into SMARTBEAR COMMUNITY : OPEN SOURCE TOOLS : SOAPUI OPEN SOURCE.

 


hjalti wrote:

 

 

Also just to make 100% sure we are on the same page(which it actually seems like to me): I am not manually fetching the token with a groovy script myself but I am using the SoapUI authorization feature for the implicit flow with an automation script for the login.

 


Yes, it doesn't matter how you retrieve an access token - manually or using a groovy script. 

Anastasia
Customer Care Team

API_Bloom

Let's Meet in Boston
Join the user conference on Sep 12-13