In this blog post, we’ll explore the practical usage of social authentication, how test automation can help, and the challenges Humanitec faced when implementing social authentication on the Humanitec Internal Developer Platform (IDP).
Why offer Social Authentication to your users
Social authentication is a popular feature in software development, and it could be a practical concept for your next project. With social authentication integration, a user receives a social login form from a third-party identity provider such as GitHub. The provider will handle the authentication and then allow access to their application. Using social authentication provides a variety of benefits to the software developer which include:
Increasing the number of registrations. Web Hosting Buzz found that 86% of users are bothered by needing to create a new account when accessing a website.
“In the same study, seventy-seven percent (77%) of respondents agreed that websites should offer social logins, and sixty percent (60%) of them agreed that companies offering social login are more up-to-date and innovative,” says Sean Si at SEO Hacker.
Making authentication easier. Using social authentication provides a one-click experience, making it easier for the user to access the application.
Automating email verification. When the social network has verified using an email address that it is a real user, the company / app provider (Humanitec) doesn't need to do that again.
Why Humanitec choose to implement Github Social Authentication
Since the Humanitec IDP is a tool for developers, it made a lot of sense to implement a social authentication integration with GitHub. This allows the following Github social authentication benefits:
- Using social authentication provides security due to an externally managed identity provider and makes it easier for users to log in. This allows users to log in using platforms they already trust, like GitHub.
- Once synced, the Humanitec platform makes it easy to select modules (i.e Github repositories) and displays them on the user interface. You can learn more about this in the Get Started section of the documentation. Once the user gives access, they can see all repositories in the Humanitec platform.
How does a social login work?
Social authentication allows end users to use another network authentication provider for these identities. In this scenario, the authentication process goes from the company website to the site entity provider. It confirms that the end user is already logged in and allows them to log in to the application, and this allows the company’s website to know the user is available and enables them to login.
Making sure your implementation of Social Authentication continues to work
Usually the login or registration to your application is quite crucial to you as a business. With the integration of social authentication you’re now relying on a third-party to ensure that your users can login or new users can register with your application.
Testing all possible user flows of social authentication should be very important to you. It would be better to continuously test those user flows with every change or update to your application. This is where test automation comes into the picture.
How test automation can help
Test automation will allow a developer to run many tests per day without having to use a manual process. This reduces the risk of human error out of the process. Manual testing is time consuming and only scales with a number of testers. To be able to provide the best support to developers, is a matter of fast and concise feedback. Having existing application features covered by automated tests and then executing those tests as soon as a developer makes a change, makes it possible to provide feedback within seconds back to the developer. A developer can then directly react to this feedback while still being in the right context.
Challenges with testing the implementation and solutions
Since our IDP focuses on software development teams, the users need to be part of a GitHub organization account. We base our permission management on these GitHub organizations, so their code is shared in repositories across a GitHub organization and available through our IDP. However, there were three main challenges with testing GitHub social authentication:
1. Parallel test runs should not use the same GitHub user
In our end-to-end tests, we test things like:
- adding new repositories
- changing code
- creating new Git tags
This shows us if our IDP is reflecting these changes correctly. We like to run tests in parallel. Therefore we need to make sure not to use the same user twice in parallel running tests. Otherwise, there is a chance that two tests would make contradicting changes to the repositories in one GitHub account. Which would lead to failing tests and inconclusive test results. A solution to this would be storing the users in a database and then mark them as “in use” while one test is running.
2. GitHub security verifications
Another challenge involves security constraints. When a user signs in for the first time from a different IP, GitHub requests a six-digit verification code. This code is sent out to the users email. The user is then required to enter the code into a form.
The solution to automate this security verification was to use Mailosaur for Python. Mailosaur is a service that allows the QA engineer capture and test emails programmatically. Mailosaur provides a REST API to fetch and read emails.
3. Being able to control the state of a GitHub user, organization, and its repositories
When testing the interactions between our IDP and a user’s Github account we need to be able to perform actions in GitHub test accounts to then verify if those actions are reflected correctly in our IDP. For this, we built test scripts based on the pip library pygithub. This allows us to use all functionality the Github API is providing from our test code written in Python.
In this blog post, we learned that integrating social authentication has many upsides. But trusting crucial user flows like login and registration to a third party is not without risk. This risk can be mitigated by implementing thought-out test automation. We learned how a social login works, how test automation can help, and the challenges Humanitec faced when automating tests to continuously verify the implementation of GitHub social authentication.