Testing Procedures

For third-party applications using OAuth and Identity and Access Management (IAM), testing procedures must focus on verifying the secure exchange of authorization credentials and validating that the application can only access resources explicitly permitted by the user. Testing must cover functional, security, and integration aspects to ensure that the application's implementation correctly follows the OAuth and IAM protocols.

To verify a successful connection and assist with troubleshooting, Oracle Utilities needs the ability to log in on the third-party partner’s stage environment. This may require VPN access if the stage environment is located behind a firewall. This access also requires at least one valid login on the stage environment. After testing is complete, the configurations are migrated to the production applications for both Oracle Utilities and the third-party partner. To verify these connections, Oracle Utilities also needs a test account on production.

The stage and production test accounts should be available for the life of the program for continuous verification of end-to-end SSO functionality. For coordination of providing these test account, refer to Contact Your Delivery Team

Functional Testing

Functional testing confirms that the authorization flows work as expected and the application can successfully access requested resources, and is recommended to include the following:

  • Test All OAuth 2.0 Flows:
    • Authorization Code Flow (with PKCE): Simulate the complete authorization code grant flow, including obtaining the authorization code, exchanging it for an access token, and using the token to access a protected resource. This is the recommended flow for most applications, especially public clients, including both mobile and single-page applications.
    • Client Credentials Flow: Verify that machine-to-machine communications for trusted applications can securely request an access token using only the client ID and secret.
  • Validate Token Handling:
    • Access Token Requests: Confirm that the application can successfully request, receive, and use access tokens from the authorization server.
    • Token Expiration and Refresh: Test that the application can handle token expiration gracefully, which involves using the refresh token to obtain a new access token without requiring the user to re-authenticate.
    • Token revocation: Validate that revoking a token on the authorization server correctly invalidates the access for the third-party application.
  • Perform User Experience Testing:
    • Consent Screen Review: Verify that the user consent screen, which displays the permissions the third-party application is requesting, is accurate, clear, and informative.
    • User Login and Redirection: Confirm that the user is properly redirected to the third-party application after a successful login and authorization.