-
-
Notifications
You must be signed in to change notification settings - Fork 0
Manual Testing
The spec/dummy directory contains a Rails application for testing the engine. The dummy app includes a /callback endpoint that displays authorization codes returned from the OAuth flow, and helper scripts that guide you through the complete OAuth flow.
- Start the dummy app server:
cd spec/dummy
bin/rails db:migrate
bin/rails server- Create a test user in the Rails console:
bin/rails consoleUser.create!(email: "test@example.com", password: "password")For pre-registered clients, first create a client in the console:
TokenAuthority::Client.create!(
name: "Test Client",
client_type: "confidential",
redirect_uris: ["http://localhost:3000/callback"]
)Then run one of the helper scripts:
bin/rails runner script/generate_link_for_authorize_endpoint.rbThe script will display an authorization URL. Open it in your browser, sign in with the test user, and approve the authorization. After being redirected to the callback page, copy the authorization code and enter it into the script prompt. The script will output a curl command to exchange the code for tokens.
| Script | Description |
|---|---|
public_client.rb |
Public client with PKCE |
confidential_client.rb |
Confidential client (minimal params, no PKCE) |
confidential_client_pkce.rb |
Confidential client with PKCE |
confidential_client_full.rb |
Confidential client with PKCE and redirect_uri |
dynamic_client_registration.rb |
Dynamic client registration + OAuth flow |
client_metadata_document.rb |
URL-based client (Client Metadata Document) |
serve_client_metadata.rb |
WEBrick server for hosting client metadata (use with ngrok) |
The dummy app has dynamic client registration enabled by default. You can test the full flow (public client registration + PKCE authorization):
bin/rails runner script/dynamic_client_registration.rbThis script:
- Registers a public client via
/oauth/register - Generates PKCE parameters
- Displays the authorization URL
- Prompts for the authorization code
- Exchanges the code for tokens
| Script | Description |
|---|---|
dynamic_client_registration.rb |
Public client with PKCE (DCR + OAuth flow) |
register_confidential_client.rb |
Register confidential client (client_secret_basic) |
register_public_client.rb |
Register public client (token_endpoint_auth_method: none) |
register_client_secret_post.rb |
Register client with client_secret_post auth |
register_client_with_private_key_jwt.rb |
Register client with private_key_jwt auth |
register_client_with_initial_access_token.rb |
Test protected registration |
register_client_with_software_statement.rb |
Register with software statement JWT |
Register a client manually:
curl -X POST http://localhost:3000/oauth/register \
-H "Content-Type: application/json" \
-d '{
"redirect_uris": ["http://localhost:3000/callback"],
"client_name": "My App",
"token_endpoint_auth_method": "none"
}'The dummy app has scopes configured by default (read, write, delete, profile). To test the OAuth flow with scopes:
-
Add the
scopeparameter to the authorization URL:GET /oauth/authorize?client_id=...&scope=read%20write&... -
The consent screen will display the requested scopes with their descriptions
-
When exchanging the code for tokens, the response includes a
scopefield:{ "access_token": "...", "refresh_token": "...", "token_type": "bearer", "expires_in": 300, "scope": "read write" } -
The access token JWT includes a
scopeclaim with the space-delimited scope tokens
URL-based client identifiers allow clients to use an HTTPS URL as their client_id. The authorization server fetches client metadata from the URL at runtime, enabling lightweight client registration without pre-registration.
The dummy app includes scripts for testing URL-based client identifiers:
Terminal 1 - Start the metadata server:
cd spec/dummy
ruby script/serve_client_metadata.rbTerminal 2 - Expose it via ngrok:
ngrok http 4567Copy the ngrok HTTPS URL (e.g., https://abc123.ngrok-free.app) and paste it into Terminal 1 when prompted.
Terminal 3 - Start the Rails server:
cd spec/dummy
bin/rails serverTerminal 4 - Run the OAuth flow:
cd spec/dummy
bin/rails runner script/client_metadata_document.rb- Enter the client_id URL shown in Terminal 1 (e.g.,
https://abc123.ngrok-free.app/oauth-client) - Press Enter to accept the default redirect_uri
- The script automatically opens the authorization URL in your browser
- Sign in and approve the authorization
- Copy the authorization code from the callback page
- Paste it back into Terminal 4
The script exchanges the code for tokens and displays the result.
URL-based clients:
- Are always treated as public clients (no client secret)
- Must always use PKCE (code_challenge/code_verifier)
- Must always provide redirect_uri in both authorization and token requests
- Require the metadata document to be accessible via HTTPS
The metadata document served at your client_id URL must be valid JSON with at least these fields:
{
"client_id": "https://your-server.example.com/oauth-client",
"client_name": "My Application",
"redirect_uris": ["https://your-server.example.com/callback"]
}The client_id field must match the URL where the document is hosted.
| Script | Description |
|---|---|
serve_client_metadata.rb |
WEBrick server that hosts a metadata document (use with ngrok) |
client_metadata_document.rb |
Full OAuth flow with URL-based client (PKCE + token exchange) |
After completing the authorization flow and receiving an authorization code, exchange it for tokens:
curl -X POST http://localhost:3000/oauth/token \
-d "grant_type=authorization_code" \
-d "code=YOUR_AUTH_CODE" \
-d "client_id=https://YOUR-NGROK-URL/oauth-client" \
-d "redirect_uri=http://localhost:3000/callback" \
-d "code_verifier=YOUR_CODE_VERIFIER"- Installation Guide - Setting up TokenAuthority
- Configuration Reference - Configuration options
Getting Started
- Installation Guide
- MCP Quickstart
- Configuration Reference
- User Authentication
- Protecting API Endpoints
- Customizing Views
- Event Logging
- Instrumentation
Process Flows
- Authorization Code Grant
- Authorization Code Redemption
- Token Refresh
- Token Revocation
- Authorization Server Metadata
- Protected Resource Metadata
- Dynamic Client Registration
- Client Metadata Documents
Development