auth fixture provides tools for creating test tokens, testing expiration, and validating scope enforcement.
Why Test Authentication?
Authentication tests verify that your server:- Rejects requests without valid tokens
- Accepts requests with valid tokens
- Enforces token expiration
- Validates token signatures
- Respects scope-based permissions
Creating Test Tokens
Theauth fixture generates real JWT tokens using RS256 signing:
Token Options
| Option | Type | Required | Description |
|---|---|---|---|
sub | string | Yes | Subject (user identifier) |
scopes | string[] | No | OAuth scopes |
email | string | No | Email claim |
name | string | No | Name claim |
claims | Record<string, unknown> | No | Additional custom claims |
expiresIn | number | No | Token lifetime in seconds (default: 3600) |
Custom Claims
Add any custom claims your server needs:Pre-built Test Users
Theauth fixture includes pre-configured test users for common scenarios:
User Definitions
| User | sub | Scopes |
|---|---|---|
admin | test-admin | ['*'] (all scopes) |
user | test-user | ['read', 'write'] |
readOnly | test-readonly | ['read'] |
Testing Token Expiration
Expired Tokens
Short-Lived Tokens
Testing Invalid Tokens
Invalid Signature
Malformed Token
Testing Scope Enforcement
Scope-Based Access Control
Testing Multiple Scopes
JWKS Integration
For servers that verify tokens against JWKS endpoints:Testing Auth Modes
Public Mode (No Auth)
Orchestrated Mode (Auth Required)
Real-World Examples
Testing User Isolation
Testing Admin Operations
Best Practices
Do:- Test both positive (valid token) and negative (invalid/expired) cases
- Test scope enforcement for all protected operations
- Use pre-built test users for common scenarios
- Clean up created clients after multi-user tests
- Hard-code tokens in tests (always use
auth.createToken()) - Skip expiration testing
- Assume scopes are enforced without testing
- Forget to test anonymous access for public endpoints
MockOAuthServer
For integration testing of OAuth flows, useMockOAuthServer from @frontmcp/testing. It provides a fully functional OAuth 2.1 server with PKCE support.
Basic Usage
MockOAuthServerOptions
| Option | Type | Default | Description |
|---|---|---|---|
port | number | Random | Port to listen on |
issuer | string | Auto | Issuer URL for tokens |
debug | boolean | false | Enable debug logging |
autoApprove | boolean | false | Auto-approve authorization requests |
testUser | MockTestUser | - | User to return on authorization |
clientId | string | - | Expected client ID for validation |
clientSecret | string | - | Client secret (for confidential clients) |
validRedirectUris | string[] | - | Allowed redirect URIs (supports wildcards) |
accessTokenTtlSeconds | number | 3600 | Access token lifetime |
refreshTokenTtlSeconds | number | 2592000 | Refresh token lifetime (30 days) |
MockTestUser Interface
MockOAuthServerInfo Interface
Available Endpoints
| Endpoint | Method | Description |
|---|---|---|
/.well-known/jwks.json | GET | Public signing keys |
/.well-known/openid-configuration | GET | OIDC discovery document |
/.well-known/oauth-authorization-server | GET | OAuth metadata |
/oauth/authorize | GET | Authorization endpoint |
/oauth/authorize/submit | POST | Authorization form submission |
/oauth/token | POST | Token endpoint |
/userinfo | GET | User info endpoint |
Supported Grant Types
authorization_code- Standard OAuth flow with PKCErefresh_token- Refresh token rotationanonymous- Issue anonymous tokens for testing