Does Google provide test users for integration testing

Question

Test users are very good to do integration testing.

When I develop facebook oauth enabled stuff I can programmatically create test users and use them as real users of my application. They behave in the same way of real users, the only difference is that they are sandboxed.

Does Google offer something like that?

They are moving all their services to oauth2 and I'd like to write a full integration test with "real" users.

Currently I manually run my integration tests and authorize the application when requested, obviously this approach is not good for CI and truly automated test.

The only alternative that I see is to create a real account used only in tests and use its credentials interacting with something like selenium.

Other alternatives?

Answer 1

How to get Google access token programmatically (automated testing)?

• Create a project on Google-console: https://console.cloud.google.com/

• Go to Credentials -> + CREATE CREDENTIALS -> OAuth client ID:

  • Application Type: Web
  • Name: Some application's name
  • Authorized redirect URIs: https://developers.google.com/oauthplayground + (optionally) your real callback handlers, e.g. https://example.com/auth/google/callback.
  • Press Create.
  • Save Client ID and Client Secret.

• Go to https://developers.google.com/oauthplayground

• Press top right settings (gear) icon (OAuth 2.0 configuration):

  • (!) Force prompt: Consent Screen
  • Tick "Use your own OAuth credentials" and enter OAuth Client ID and OAuth Client secret, close the OAuth 2.0 configuration" screen.

• At the bottom of the Step 1 accordion panel enter required space-separated scopes (see https://developers.google.com/identity/protocols/oauth2/scopes#oauth2):

  • openid (default)

  • https://www.googleapis.com/auth/userinfo.email

  • https://www.googleapis.com/auth/userinfo.profile

  • Example:

    openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
    

  • and press Authorize APIs.

• On the next screen choose the account (optional screen) and give the permissions to the app.

• Then you should be redirected to https://developers.google.com/oauthplayground/?code=SOME-SINGLE-USE-CODE&scope=openid&...

• Press Exchange authorization code for tokens

• OR manually via

  curl -v "https://oauth2.googleapis.com/token" -d "code=SOME-SINGLE-USE-CODE&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=YOUR_APP_CLIENT_ID&client_secret=YOUR_APP_CLIENT_SECRET&scope=&grant_type=authorization_code"
  

• Get your non-expiring refresh token.

• Finally, get access token from Access token

• OR manually:

  curl -d "client_id=YOUR_APP_CLIENT_ID&client_secret=YOUR_APP_CLIENT_SECRET&grant_type=refresh_token&refresh_token=YOUR_APP_REFRESH_TOKEN" "https://oauth2.googleapis.com/token"
  

Validate:

curl "https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=ACCESS_TOKEN"

{
  "id": "10934363016XXXXXXXXXX",
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GhoUlKjYgC-..."
}

Answer 2

You can create a google account and configure a simple project/client within googles cloud console. Then you can configure it for oauth and use googles oauth-playground for creating a refresh-token (which never expires).

With your client-id, client-secret and the refresh-token you can send a post-request in your tests to googles auth-token endpoint (https://www.googleapis.com/oauth2/v4/token) and will receive a valid (short-time) access-token. No manual steps needed here.

I've read about it in this guide.

Answer 3

You are correct Google don't offer a test user API in the same way that Facebook do. I think you have two options:

1. Use "real" Google users as you stated. This can cause issues if Google blocks these accounts or adds extra checks to test if they are real users to not (Phone verification). They also do some A-B testing which can break your test scripts.

2. Use a mock third party instead of the Google service. This will test your generic oauth integration code but obviously isn't as robust as testing against the real Google service. This method can be more stable as you control the mock service.