Forum Discussion

hjalti's avatar
hjalti
New Contributor
7 years ago

Authorization with OAuth2.0 implicit grant: Delete cookie/log out

So I am doing authorization with OAuth2.0 implicit flow. With one profile it works really well.

But now I am creating api access tests where I need to use another user profile. So naturally I create another profile and everything works perfectly except that SoapUI seems to send a cookie, belonging to the first profile, to the identity server. The identity server then "thinks" I am already logged in so it doesn't ask for username+password and gives me another token belonging to the first profile.

 

So I have been trying to clear all the cookies with a groovy script but I have not been able to access them. It seems to me that these specific cookies are not accessable by groovy, could that be true?

 

Any solutions?

3 Replies

  • Nastya_Khovrina's avatar
    Nastya_Khovrina
    SmartBear Alumni (Retired)

    Hi,

     

    Thank you for your post. 

    Currently, the Internal browser opens with the existing (current) session, so you cannot re-log in with different credentials - the access token returned by the server will still be for the previous user (profile). We have a corresponding task in our backlog to fix this behavior. 

    A workaround for the issue is restating Ready! API.So, the process can be the following:
    1. Write a script to get a token for your request and specify different credentials for the first and for the second user. 
    2. Run the script for the first user and get an access token.
    3. Restart Ready! API and run the script for the second user. 

    • hjalti's avatar
      hjalti
      New Contributor

      Thanks for the reply Nastya.

      It is nice to know that this behavior will be changed in the future.

       

      Right now my temporary solution is to have a 1 sec lifetime on the cookies and a groovy script step that sleeps for 1 sec whenever I need to change a user profile. This is not ideal because now my tests are slow and I need to have a special version of the identity server that sets cookies with 1 sec lifetime.

       

      I am not sure this matters but I am using the open source SoapUI so I guess I meant to post this in another forum..(SMARTBEAR COMMUNITY : OPEN SOURCE TOOLS : SOAPUI OPEN SOURCE)

       

       

      Also just to make 100% sure we are on the same page(which it actually seems like to me): I am not manually fetching the token with a groovy script myself but I am using the SoapUI authorization feature for the implicit flow with an automation script for the login.

      • Nastya_Khovrina's avatar
        Nastya_Khovrina
        SmartBear Alumni (Retired)

        Hjalti,

         

        Thank you for sharing your solution with us!

        Yes, if you use SoapUI open source you need to post into SMARTBEAR COMMUNITY : OPEN SOURCE TOOLS : SOAPUI OPEN SOURCE.

         


        hjalti wrote:

         

         

        Also just to make 100% sure we are on the same page(which it actually seems like to me): I am not manually fetching the token with a groovy script myself but I am using the SoapUI authorization feature for the implicit flow with an automation script for the login.

         


        Yes, it doesn't matter how you retrieve an access token - manually or using a groovy script.