
Ask HN: How to test OAuth2-protected API endpoints - desmap
It seems that a lot of people worship test-driven development and I think it super helpful if you develop API endpoints. But I am just wondering how to deal with OAuth2-protected endpoints (e.g. protected with LinkedIn-OAuth2).<p>Mocking the OAuth2 provider would need to mock&#x2F;rewrite the entire server app, isolated unit tests without login state don&#x27;t seem to be really helpful. Setting up browser tests with puppeteer simulating all the clicks through the site just to test some protected API endpoints feels like taking a sledgehammer to crack a nut (paired with the problem that&#x27;s is not so easy to create test accounts on LinkedIn without getting flagged).<p>So, do I miss something? How do people deal with this? Is this entire thing about TDD&#x2F;BDD just empty talk and only basic stuff is being tested (like the server responds status 200)?<p>FYI, to get the auth code from the OAuth2 provider (e.g. LinkedIn) the user needs to go through the login flow. So, I don&#x27;t see any way how to just provide a given code while skipping the login.
======
imduffy15
Unsure about your specific framework/language, but I've done this in the past
with spring boot and java.

Spring provides a mocked OAuth2 server that you can bring in for test purposes
and do whatever you need to do
[https://stackoverflow.com/questions/29510759/how-to-test-
spr...](https://stackoverflow.com/questions/29510759/how-to-test-spring-
security-oauth2-resource-server-security)

