35 lines
1.5 KiB
Gherkin
35 lines
1.5 KiB
Gherkin
@javascript
|
|
Feature: Access protected resources using implicit flow
|
|
Background:
|
|
Given a user with username "kent"
|
|
|
|
Scenario: Invalid client id to auth endpoint
|
|
When I register a new client
|
|
And I send a post request from that client to the authorization endpoint using a invalid client id
|
|
And I sign in as "kent@kent.kent"
|
|
Then I should see a message containing "Invalid client id or redirect uri"
|
|
|
|
Scenario: Application is denied authorization
|
|
When I register a new client
|
|
And I send a post request from that client to the authorization endpoint
|
|
And I sign in as "kent@kent.kent"
|
|
And I deny authorization to the client
|
|
Then I should not see any tokens in the redirect url
|
|
|
|
Scenario: Application is authorized
|
|
When I register a new client
|
|
And I send a post request from that client to the authorization endpoint
|
|
And I sign in as "kent@kent.kent"
|
|
And I give my consent and authorize the client
|
|
And I parse the bearer tokens and use it to access user info
|
|
Then I should receive "kent"'s id, username, and email
|
|
|
|
Scenario: Application is authorized and uses small value for the max_age parameter
|
|
When I register a new client
|
|
And I sign in as "kent@kent.kent"
|
|
And I have signed in 5 minutes ago
|
|
And I send a post request from that client to the authorization endpoint with max age
|
|
And I sign in as "kent@kent.kent"
|
|
And I give my consent and authorize the client
|
|
And I parse the bearer tokens and use it to access user info
|
|
Then I should receive "kent"'s id, username, and email
|