mock-oauth

Generate fake OAuth access tokens/ID tokens that your resource server can accept.

Token generation

curl -X POST https://mock-oauth.arraybrook.com/oauth/token \
--data-raw '{
  "iss": "https://your-server.com",
  "aud": ["your-audience-1", "your-audience-2"],
  "scope": "scope1 scope2",
  "gty": "password",
  "email": "emaill@email.com", 
  "sub": "1234", 
  "name": "foo"
}'

and it returns {"access_token":"***","id_token":"***","expires_in":3600,"token_type":"Bearer"}%. Tokens always has 1 hour TTL and cannot be refreshed.

Access token can includes iss, sub, aud, scope, gty, azp claims. All of them are optional. iss defaults to "https://mock-oauth.arraybrook.com/" and aud defaults to ["com.arraybrook.mock-oauth"] if no value is provided. Other inputs are ignored.

Access token claims

ID token can include the below claims: name, given_name, family_name, middle_name, nickname, preferred_username profile, picture, website, email, email_verified, gender, birthdate, zoneinfo, locale, phone_number, phone_number_verified, address, updated_at, iss, sub, aud (the list of standard claims defined in OpenID Connect contract). Other inputs are ignored.

ID token claims

Resource server integration

JSON Web Key Set (JWKS) URI is https://mock-oauth.arraybrook.com/.well-known/jwks.json.

This example shows how to integrate mock-oauth with Spring Framework.

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://your-server.com
          jwk-set-uri: https://mock-oauth.arraybrook.com/.well-known/jwks.json
          jws-algorithm: RS256
          audiences:
            - your-audience-1
            - your-audience-2

Deployment

You can simply use the version we have deployed. It is available at https://mock-oauth.arraybrook.com/.

Or you can deploy your own mock-oauth server from our source code. Since this is a Next.js project, any hosting service that supports Next.js should work. Without setting any environment variable, it generates a new JWKS everytime it restarts. Alternatively, you can set JWK_PUBLIC_KEY and JWK_PRIVATE_KEY so JWKS can stay the same. Those variables can be generated by

import { exportJWK } from 'jose'; // https://www.npmjs.com/package/jose

const { publicKey, privateKey } = await generateKeyPair('RS256', {
  modulusLength: 2048, // recommended key size
  extractable: true,
});

console.log(JSON.stringify(await exportJWK(publicKey)))  // JWK_PUBLIC_KEY
console.log(JSON.stringify(await exportJWK(privateKey))) // JWK_PRIVATE_KEY

Use cases

mock-oauth can be used for testing proposes.

mock-oauth can also be used for issueing temperarily tokens for anonymouse users.

License

MIT License. Source code at https://github.com/arraybrook/mock-oauth.