Learn the benefits of social authentication, how it works, and challenges Humanitec faced when implementing it with GitHub. In addition, find out why automation is a critical part of testing social authentication.
In this blog post, we’ll explore the practical usage of social authentication, how test automation can help, and the challenges Humanitec faced when implementing social authentication on the Humanitec Internal Developer Platform (IDP).
Social authentication is a popular feature in software development, and it could be a practical concept for your next project. With social authentication integration, a user receives a social login form from a third-party identity provider such as GitHub. The provider will handle the authentication and then allow access to their application. Using social authentication provides a variety of benefits to the software developer which include:
Increasing the number of registrations. Web Hosting Buzz found that 86% of users are bothered by needing to create a new account when accessing a website.
“In the same study, seventy-seven percent (77%) of respondents agreed that websites should offer social logins, and sixty percent (60%) of them agreed that companies offering social login are more up-to-date and innovative,” says Sean Si at SEO Hacker.
Making authentication easier. Using social authentication provides a one-click experience, making it easier for the user to access the application.
Automating email verification. When the social network has verified using an email address that it is a real user, the company / app provider (Humanitec) doesn't need to do that again.
Since the Humanitec IDP is a tool for developers, it made a lot of sense to implement a social authentication integration with GitHub. This allows the following Github social authentication benefits:
Social authentication allows end users to use another network authentication provider for these identities. In this scenario, the authentication process goes from the company website to the site entity provider. It confirms that the end user is already logged in and allows them to log in to the application, and this allows the company’s website to know the user is available and enables them to login.
Usually the login or registration to your application is quite crucial to you as a business. With the integration of social authentication you’re now relying on a third-party to ensure that your users can login or new users can register with your application.
Testing all possible user flows of social authentication should be very important to you. It would be better to continuously test those user flows with every change or update to your application. This is where test automation comes into the picture.
Test automation will allow a developer to run many tests per day without having to use a manual process. This reduces the risk of human error out of the process. Manual testing is time consuming and only scales with a number of testers. To be able to provide the best support to developers, is a matter of fast and concise feedback. Having existing application features covered by automated tests and then executing those tests as soon as a developer makes a change, makes it possible to provide feedback within seconds back to the developer. A developer can then directly react to this feedback while still being in the right context.
Since our IDP focuses on software development teams, the users need to be part of a GitHub organization account. We base our permission management on these GitHub organizations, so their code is shared in repositories across a GitHub organization and available through our IDP. However, there were three main challenges with testing GitHub social authentication:
In our end-to-end tests, we test things like:
This shows us if our IDP is reflecting these changes correctly. We like to run tests in parallel. Therefore we need to make sure not to use the same user twice in parallel running tests. Otherwise, there is a chance that two tests would make contradicting changes to the repositories in one GitHub account. Which would lead to failing tests and inconclusive test results. A solution to this would be storing the users in a database and then mark them as “in use” while one test is running.
Another challenge involves security constraints. When a user signs in for the first time from a different IP, GitHub requests a six-digit verification code. This code is sent out to the users email. The user is then required to enter the code into a form.
The solution to automate this security verification was to use Mailosaur for Python. Mailosaur is a service that allows the QA engineer capture and test emails programmatically. Mailosaur provides a REST API to fetch and read emails.
When testing the interactions between our IDP and a user’s Github account we need to be able to perform actions in GitHub test accounts to then verify if those actions are reflected correctly in our IDP. For this, we built test scripts based on the pip library pygithub. This allows us to use all functionality the Github API is providing from our test code written in Python.
In this blog post, we learned that integrating social authentication has many upsides. But trusting crucial user flows like login and registration to a third party is not without risk. This risk can be mitigated by implementing thought-out test automation. We learned how a social login works, how test automation can help, and the challenges Humanitec faced when automating tests to continuously verify the implementation of GitHub social authentication.