I`ll show you how to use Postman to test protected GraphQL API and run test collection using Newman from GithubActions!
Note: This article is part of opensource fullstack app
Postman is a well-known tool that helps you test your APIs.
Not yet, but I see the possibility of it becoming a powerfool tool for GraphQL.
This has to be done manually! (Unfortunately) Postman does not support schema introspection.
Tests can be found in several scopes.
Scope is just place, where you can find them.
- Scope level Collection
- Section level Folder
- Scope level Request
Postman does not have init script that runs once on startup! You can workaround this and implement it using variables!
This depends on whether you are doing the tests manually or automated
If you run heedless from
CI/CD you need to write scripts and that can be difficult with some
oidc providers who have strict rules and check all security aspects.
For testing purposes, you can define a specific oidc
client_id:Postman. You can simply protect it with
ResourceOwnerPassword and create a test user for it.
Image from Okta
ResourceOwnerPassword is fully secured in this scenario:
- You have a special client (oidc client) and you need
Secretto use it.
- The test user still needs to provide his
- Will only be activated under a specific flag
- Will not be used publicly
- Can be restricted to a specific origin
To request a new token, you must make an
asynchronous call to the oidc token endpoint.
1) Check if you have the token from the previous run
2) Validate the lifetime of the token.
- Token is valid - > uses the existing one
- Token has expired - > requests a new one
OAuth_Token_Exchange triggers the request with the function
json and you need to create a helper script to validate it. This script validates property by property with the option to ignore some.
For that you need to export the collection and the variables and use exported data in headless
Newman is CLI runner for postman collections. You can find it on Github.
npm install -g newman.
Run test collection from console (terminal):
(We use the
--insecure flag because we use untrusted developer certificates).
This is an example of the output
The demo application uses
Nuke for build automation.
Nuke is a console application that contains all build logic defined as
Targets and allows you to run cross-platform and generate
Let us place
Newman in front of the
To better understand what
Target_E2E_Tests is. Let us take a look at the whole pipeline and the dependencies between the different targets.
Targets define named operation with specific actions.
You can find the full source code of the app, including identity, distributed logging, tracing and monitoring, in the open source
Newman sources sub-link (under postman folder):