From ccfcf9f13907bb91be5887f4a50bf1e1451da4e6 Mon Sep 17 00:00:00 2001 From: Brian Demers Date: Fri, 21 Apr 2017 09:48:22 -0400 Subject: [PATCH 1/4] Hacking up some changes to the TCK for Okta Support --- .../com/stormpath/tck/AbstractIT.groovy | 1 + .../tck/authentication/CookieIT.groovy | 42 ++++++++----- .../tck/forgot/ChangePasswordIT.groovy | 6 +- .../com/stormpath/tck/oauth2/Oauth2IT.groovy | 22 ++++--- .../com/stormpath/tck/util/EnvUtils.groovy | 2 + .../com/stormpath/tck/util/JwtUtils.groovy | 63 +++++++++++++++++-- 6 files changed, 104 insertions(+), 32 deletions(-) diff --git a/src/main/groovy/com/stormpath/tck/AbstractIT.groovy b/src/main/groovy/com/stormpath/tck/AbstractIT.groovy index dd08b96..1a2ae48 100644 --- a/src/main/groovy/com/stormpath/tck/AbstractIT.groovy +++ b/src/main/groovy/com/stormpath/tck/AbstractIT.groovy @@ -50,6 +50,7 @@ abstract class AbstractIT { static final private String webappUrlPortSuffix = toPortSuffix(webappUrlScheme, webappUrlPort) static final private String defaultWebappBaseUrl = "$webappUrlScheme://$webappUrlHost$webappUrlPortSuffix" static final String webappBaseUrl = getVal("STORMPATH_TCK_WEBAPP_URL", defaultWebappBaseUrl) + static final String fromEmailDomain = getVal("STORMPATH_TCK_EMAIL_DOMAIN", "stormpath.com") static final private List possibleCSRFKeys = ['_csrf', 'csrfToken', 'authenticity_token', 'st'] diff --git a/src/main/groovy/com/stormpath/tck/authentication/CookieIT.groovy b/src/main/groovy/com/stormpath/tck/authentication/CookieIT.groovy index ecf11a1..7b8a99b 100644 --- a/src/main/groovy/com/stormpath/tck/authentication/CookieIT.groovy +++ b/src/main/groovy/com/stormpath/tck/authentication/CookieIT.groovy @@ -30,6 +30,7 @@ import static com.stormpath.tck.util.TestAccount.Mode.WITHOUT_DISPOSABLE_EMAIL import static org.hamcrest.Matchers.is import static org.hamcrest.Matchers.not import static org.testng.Assert.assertEquals +import static org.testng.Assert.assertNotNull import static org.testng.Assert.assertTrue class CookieIT extends AbstractIT { @@ -68,8 +69,14 @@ class CookieIT extends AbstractIT { .extract() .response() - assertTrue(isCookieDeleted(response.detailedCookies.get("access_token"))) - assertTrue(isCookieDeleted(response.detailedCookies.get("refresh_token"))) + def accessTokenCookie = response.detailedCookies.get("access_token") + def refreshTokenCookie = response.detailedCookies.get("refresh_token") + + assertNotNull(accessTokenCookie, "Cookie 'access_token'") + assertNotNull(refreshTokenCookie, "Cookie 'refresh_token") + + assertTrue(isCookieDeleted(accessTokenCookie)) + assertTrue(isCookieDeleted(refreshTokenCookie)) } /** Reject unauthorized text/html requests with 302 to login route @@ -105,18 +112,18 @@ class CookieIT extends AbstractIT { saveCSRFAndCookies(LoginRoute) def requestSpecification = given() - .accept(ContentType.JSON) - .contentType(ContentType.JSON) - .body([ "login": account.email, "password": account.password ]) + .accept(ContentType.JSON) + .contentType(ContentType.JSON) + .body(["login": account.email, "password": account.password]) setCSRFAndCookies(requestSpecification, ContentType.JSON); def response = requestSpecification - .when() + .when() .post(LoginRoute) - .then() + .then() .statusCode(200) - .extract() + .extract() .response() def now = new Date().time @@ -127,16 +134,21 @@ class CookieIT extends AbstractIT { if (accessTokenCookie.expiryDate) { assertEquals accessTokenCookie.expiryDate.time, accessTokenTtl } else { - assertTrue accessTokenCookie.maxAge * 1000L + now - accessTokenTtl < 2000 + assertTrue accessTokenCookie.maxAge * 1000L + now - accessTokenTtl < 2000 } def refreshTokenCookie = response.detailedCookies.get("refresh_token") - def refreshTokenTtl = JwtUtils.parseJwt(refreshTokenCookie.value).getBody().getExpiration().time - // some integrations use max-age and some use expires - if (refreshTokenCookie.expiryDate) { - assertEquals refreshTokenCookie.expiryDate.time, refreshTokenTtl - } else { - assertTrue refreshTokenCookie.maxAge * 1000L + now - refreshTokenTtl < 2000 + assertNotNull(refreshTokenCookie) + + // Okta does NOT use a JWT for the refresh token + if (refreshTokenCookie.getValue().split("\\.").length == 3) { + def refreshTokenTtl = JwtUtils.parseJwt(refreshTokenCookie.value).getBody().getExpiration().time + // some integrations use max-age and some use expires + if (refreshTokenCookie.expiryDate) { + assertEquals refreshTokenCookie.expiryDate.time, refreshTokenTtl + } else { + assertTrue refreshTokenCookie.maxAge * 1000L + now - refreshTokenTtl < 2000 + } } } diff --git a/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy b/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy index 80c2bb0..ae66cd8 100644 --- a/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy +++ b/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy @@ -194,8 +194,7 @@ class ChangePasswordIT extends AbstractIT { .then() .statusCode(200) - // TODO - will need to make this configurable for Okta - String rawChangePasswordEmail = account.getEmail("stormpath.com") + String rawChangePasswordEmail = account.getEmail(fromEmailDomain) String changePasswordHref = StringUtils.extractChangePasswordHref(rawChangePasswordEmail, "sptoken") def response = given() @@ -235,8 +234,7 @@ class ChangePasswordIT extends AbstractIT { .then() .statusCode(200) - // TODO - will need to make this configurable for Okta - String rawChangePasswordEmail = account.getEmail("stormpath.com") + String rawChangePasswordEmail = account.getEmail(fromEmailDomain) String changePasswordHref = StringUtils.extractChangePasswordHref(rawChangePasswordEmail, "sptoken") String sptoken = StringUtils.extractTokenFromHref(changePasswordHref, "sptoken") diff --git a/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy b/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy index 8b9e959..b9686c6 100644 --- a/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy +++ b/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy @@ -32,8 +32,7 @@ import static org.hamcrest.Matchers.is import static org.hamcrest.Matchers.isEmptyOrNullString import static org.hamcrest.Matchers.not import static org.hamcrest.Matchers.nullValue -import static org.testng.Assert.assertNotEquals -import static org.testng.Assert.assertTrue +import static org.testng.Assert.* class Oauth2IT extends AbstractIT { @@ -128,7 +127,7 @@ class Oauth2IT extends AbstractIT { .extract() .path("access_token") - assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href) + assertTrue isAccountSubInClaim(account, accessToken) } /** Password grant flow with username/password and access_token cookie present @@ -142,6 +141,8 @@ class Oauth2IT extends AbstractIT { def account = createTestAccount() def cookies = createSession(account) + // UGGGG + // @formatter:off String accessToken = given() @@ -153,10 +154,10 @@ class Oauth2IT extends AbstractIT { .post(OauthRoute) .then() .spec(JsonResponseSpec.validAccessAndRefreshTokens()) - .extract() + .extract() .path("access_token") // @formatter:on - assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href) + assertTrue isAccountSubInClaim(account, accessToken) } /** Password grant flow with email/password @@ -178,7 +179,7 @@ class Oauth2IT extends AbstractIT { .extract() .path("access_token") - assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href) + assertTrue isAccountSubInClaim(account, accessToken) } /** Refresh grant flow @@ -215,7 +216,7 @@ class Oauth2IT extends AbstractIT { .path("access_token") assertNotEquals(accessToken, newAccessToken, "The new access token should not equal to the old access token") - assertTrue(JwtUtils.extractJwtClaim(accessToken, "sub") == account.href, "The access token should be a valid jwt for the test user") + assertTrue isAccountSubInClaim(account, accessToken) } /** Refresh grant flow should fail without valid refresh token @@ -310,7 +311,7 @@ class Oauth2IT extends AbstractIT { /** We shouldn't be able to use client credentials to get an access token without a API secret * @see #8 */ - @Test(groups=["v100", "json"]) + @Test(groups=["v100", "json", "client_credentials"]) void oauthClientCredentialsGrantFailsWithoutAPISecret() throws Exception { // Get API keys so we can use it for client credentials @@ -345,4 +346,9 @@ class Oauth2IT extends AbstractIT { .contentType(ContentType.JSON) .body("error", is("invalid_client")) } + + private boolean isAccountSubInClaim(def account, String jwt) { + def sub = JwtUtils.extractJwtClaim(jwt, "sub") + return account.href == sub || account.email == sub + } } diff --git a/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy b/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy index 4b20aae..ac90884 100644 --- a/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy +++ b/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy @@ -25,8 +25,10 @@ class EnvUtils { public static final String jwtSigningKey public static final String facebookClientId public static final String facebookClientSecret + public static final boolean jwtValidationEnabled static { + jwtValidationEnabled = getVal("STORMPATH_TCK_VALIDATE_JWT", "true").toBoolean() jwtSigningKey = getVal("JWT_SIGNING_KEY") facebookClientId = getVal("FACEBOOK_CLIENT_ID") facebookClientSecret = getVal("FACEBOOK_CLIENT_SECRET") diff --git a/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy b/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy index 7b5ff30..520b889 100644 --- a/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy +++ b/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy @@ -17,18 +17,71 @@ package com.stormpath.tck.util import io.jsonwebtoken.Claims import io.jsonwebtoken.Jws +import io.jsonwebtoken.JwsHeader import io.jsonwebtoken.Jwts +import io.jsonwebtoken.SignatureAlgorithm +import io.jsonwebtoken.SigningKeyResolver +import io.jsonwebtoken.impl.DefaultJwtParser +import io.jsonwebtoken.impl.crypto.JwtSignatureValidator + +import java.security.Key class JwtUtils { + + static String extractJwtClaim(String jwt, String property) { - String secret = EnvUtils.jwtSigningKey - Claims claims = Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(jwt).getBody() - return (String) claims.get(property) + return parseJwt(jwt).getBody().get(property) } static Jws parseJwt(String jwt) { - String secret = EnvUtils.jwtSigningKey - return Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(jwt) + + if (EnvUtils.jwtValidationEnabled) { + String secret = EnvUtils.jwtSigningKey + return Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(jwt) + } + else { + return parseJwtWithoutValidation(jwt) + } + } + + private static Jws parseJwtWithoutValidation(String jwt) { + return new DefaultJwtParser() { + protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) { + return new JwtSignatureValidator() { + @Override + boolean isValid(String jwtWithoutSignature, String base64UrlEncodedSignature) { + return true + } + } + } + }.setSigningKeyResolver(new SigningKeyResolver() { + @Override + Key resolveSigningKey(JwsHeader header, Claims claims) { + return new DummyKey() + } + + @Override + Key resolveSigningKey(JwsHeader header, String plaintext) { + return new DummyKey() + } + }).parseClaimsJws(jwt) + } + + static class DummyKey implements Key { + @Override + String getAlgorithm() { + return null + } + + @Override + String getFormat() { + return null + } + + @Override + byte[] getEncoded() { + return new byte[0] + } } } From fa90553d734d1eed446399e3b1dbcec57aa32ff5 Mon Sep 17 00:00:00 2001 From: Brian Demers Date: Fri, 21 Apr 2017 14:09:03 -0400 Subject: [PATCH 2/4] Added a URL JWT key resolver to validate keys found on a OIDC keys endpoint --- README.md | 6 ++ .../com/stormpath/tck/util/EnvUtils.groovy | 11 ++- .../com/stormpath/tck/util/JwtUtils.groovy | 87 +++++++++++-------- 3 files changed, 65 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index 2a0e55e..be30cfd 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,12 @@ Once your web app is running, you can run the TCK against this webapp: FACEBOOK_CLIENT_SECRET= \ mvn clean -Prun-ITs verify +**NOTE:** If you are running against in Okta application you will need to include the following environment variables: + + STORMPATH_TCK_VALIDATE_JWT_URL=https://dev-123456.oktapreview.com/oauth2//v1/keys + STORMPATH_TCK_EMAIL_DOMAIN= + + This will run all tests against the targeted webapp. NOTE: The 3 environment variables shown above are *required* in order to run the TCK. diff --git a/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy b/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy index ac90884..d38ca83 100644 --- a/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy +++ b/src/main/groovy/com/stormpath/tck/util/EnvUtils.groovy @@ -25,15 +25,20 @@ class EnvUtils { public static final String jwtSigningKey public static final String facebookClientId public static final String facebookClientSecret - public static final boolean jwtValidationEnabled + public static final String jwtSigningKeysUrl static { - jwtValidationEnabled = getVal("STORMPATH_TCK_VALIDATE_JWT", "true").toBoolean() + jwtSigningKeysUrl = getVal("STORMPATH_TCK_VALIDATE_JWT_URL") jwtSigningKey = getVal("JWT_SIGNING_KEY") facebookClientId = getVal("FACEBOOK_CLIENT_ID") facebookClientSecret = getVal("FACEBOOK_CLIENT_SECRET") + + if (jwtSigningKeysUrl == null && jwtSigningKey == null) { + fail("One of JWT_SIGNING_KEY or STORMPATH_TCK_VALIDATE_JWT_URL environment variables is required") + } + if (jwtSigningKey == null || facebookClientId == null || facebookClientSecret == null) { - fail("JWT_SIGNING_KEY, FACEBOOK_CLIENT_ID and FACEBOOK_CLIENT_SECRET environment variables are required") + fail("FACEBOOK_CLIENT_ID and FACEBOOK_CLIENT_SECRET environment variables are required") } } diff --git a/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy b/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy index 520b889..4a4d04e 100644 --- a/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy +++ b/src/main/groovy/com/stormpath/tck/util/JwtUtils.groovy @@ -15,16 +15,20 @@ */ package com.stormpath.tck.util +import groovy.json.JsonSlurper import io.jsonwebtoken.Claims import io.jsonwebtoken.Jws import io.jsonwebtoken.JwsHeader import io.jsonwebtoken.Jwts -import io.jsonwebtoken.SignatureAlgorithm import io.jsonwebtoken.SigningKeyResolver -import io.jsonwebtoken.impl.DefaultJwtParser -import io.jsonwebtoken.impl.crypto.JwtSignatureValidator +import io.jsonwebtoken.lang.Assert +import org.apache.commons.codec.binary.Base64 import java.security.Key +import java.security.KeyFactory +import java.security.NoSuchAlgorithmException +import java.security.spec.InvalidKeySpecException +import java.security.spec.RSAPublicKeySpec class JwtUtils { @@ -36,52 +40,63 @@ class JwtUtils { static Jws parseJwt(String jwt) { - if (EnvUtils.jwtValidationEnabled) { - String secret = EnvUtils.jwtSigningKey - return Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(jwt) + + if (EnvUtils.jwtSigningKeysUrl) { + return Jwts.parser().setSigningKeyResolver(new URLSigningKeyResolver(EnvUtils.jwtSigningKeysUrl)).parseClaimsJws(jwt) } else { - return parseJwtWithoutValidation(jwt) + String secret = EnvUtils.jwtSigningKey + return Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(jwt) } } - private static Jws parseJwtWithoutValidation(String jwt) { - return new DefaultJwtParser() { - protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) { - return new JwtSignatureValidator() { - @Override - boolean isValid(String jwtWithoutSignature, String base64UrlEncodedSignature) { - return true - } - } - } - }.setSigningKeyResolver(new SigningKeyResolver() { - @Override - Key resolveSigningKey(JwsHeader header, Claims claims) { - return new DummyKey() - } + private static class URLSigningKeyResolver implements SigningKeyResolver { + def json - @Override - Key resolveSigningKey(JwsHeader header, String plaintext) { - return new DummyKey() - } - }).parseClaimsJws(jwt) - } + URLSigningKeyResolver(String keysUrl) { + def jsonSlurper = new JsonSlurper() + json = jsonSlurper.parse(new URL(keysUrl)) + } - static class DummyKey implements Key { @Override - String getAlgorithm() { - return null + Key resolveSigningKey(JwsHeader header, Claims claims) { + return getKey(header) } @Override - String getFormat() { - return null + Key resolveSigningKey(JwsHeader header, String plaintext) { + return getKey(header) } - @Override - byte[] getEncoded() { - return new byte[0] + private Key getKey(JwsHeader header) { + String keyId = header.getKeyId() + String keyAlgorithm = header.getAlgorithm() + + if (!"RS256".equals(keyAlgorithm)) { + throw new UnsupportedOperationException("Only 'RS256' key algorithm is supported.") + } + + def key = null + for (def keyElement : json.keys) { + if (keyId.equals(keyElement.kid)) { + key = keyElement + break + } + } + Assert.notNull(key, "Key with 'kid' of "+keyId+" could not be found.") + + try { + + BigInteger modulus = new BigInteger(1, Base64.decodeBase64(key.n)) + BigInteger publicExponent = new BigInteger(1, Base64.decodeBase64(key.e)) + return KeyFactory.getInstance("RSA").generatePublic( + new RSAPublicKeySpec(modulus, publicExponent)) + + } catch (NoSuchAlgorithmException e) { + throw new UnsupportedOperationException("Failed to load key Algorithm", e) + } catch (InvalidKeySpecException e) { + throw new UnsupportedOperationException("Failed to load key", e) + } } } } From 65adcedae96f12cd9c3732faa6fb5a7b900ac7ee Mon Sep 17 00:00:00 2001 From: Brian Demers Date: Fri, 21 Apr 2017 17:14:29 -0400 Subject: [PATCH 3/4] Add 1sec sleep between requests to support Okta rate limiting --- .../com/stormpath/tck/forgot/ChangePasswordIT.groovy | 9 +++++++++ src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy b/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy index ae66cd8..2991594 100644 --- a/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy +++ b/src/main/groovy/com/stormpath/tck/forgot/ChangePasswordIT.groovy @@ -197,6 +197,9 @@ class ChangePasswordIT extends AbstractIT { String rawChangePasswordEmail = account.getEmail(fromEmailDomain) String changePasswordHref = StringUtils.extractChangePasswordHref(rawChangePasswordEmail, "sptoken") + // sleep between requests okta rate limiting + Thread.sleep(1000) + def response = given() .accept(ContentType.HTML) .when() @@ -234,6 +237,9 @@ class ChangePasswordIT extends AbstractIT { .then() .statusCode(200) + // sleep between requests okta rate limiting + Thread.sleep(1000) + String rawChangePasswordEmail = account.getEmail(fromEmailDomain) String changePasswordHref = StringUtils.extractChangePasswordHref(rawChangePasswordEmail, "sptoken") String sptoken = StringUtils.extractTokenFromHref(changePasswordHref, "sptoken") @@ -250,6 +256,9 @@ class ChangePasswordIT extends AbstractIT { .statusCode(200) .body(isEmptyOrNullString()) + // sleep between requests okta rate limiting + Thread.sleep(1000) + // Verify that the password is now the new password through a login attempt / OAuth token request given() .param("grant_type", "password") diff --git a/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy b/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy index b9686c6..49e8209 100644 --- a/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy +++ b/src/main/groovy/com/stormpath/tck/oauth2/Oauth2IT.groovy @@ -141,7 +141,8 @@ class Oauth2IT extends AbstractIT { def account = createTestAccount() def cookies = createSession(account) - // UGGGG + // sleep between requests okta rate limiting + Thread.sleep(1000) // @formatter:off String accessToken = From b9098601f0105d10f51f40a148fe2284e8864139 Mon Sep 17 00:00:00 2001 From: Brian Demers Date: Tue, 25 Apr 2017 11:55:10 -0400 Subject: [PATCH 4/4] Exclude Facebook tests when NOT running against Stormpath MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is implemented with a new test group ‘stormpath_only’. We may want to enable this by default, currently that group is disabled by default --- pom.xml | 2 ++ .../com/stormpath/tck/login/FacebookSocialLoginIT.groovy | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 78e6f3b..98611c7 100644 --- a/pom.xml +++ b/pom.xml @@ -80,6 +80,7 @@ localhost 8080 v100,json,html + stormpath_only @@ -197,6 +198,7 @@ ${stormpath.tck.webapp.port} ${failsafe.groups} + ${failsafe.excludedGroups} diff --git a/src/main/groovy/com/stormpath/tck/login/FacebookSocialLoginIT.groovy b/src/main/groovy/com/stormpath/tck/login/FacebookSocialLoginIT.groovy index efbbe15..2aa3f16 100644 --- a/src/main/groovy/com/stormpath/tck/login/FacebookSocialLoginIT.groovy +++ b/src/main/groovy/com/stormpath/tck/login/FacebookSocialLoginIT.groovy @@ -62,7 +62,7 @@ class FacebookSocialLoginIT extends AbstractIT { * Attempts to login with the Facebook Access Token, and expects an account object back. * @throws Exception */ - @Test(groups = ["v100", "json"]) + @Test(groups = ["v100", "json", "stormpath_only"]) void loginWithValidFacebookAccessTokenSucceeds() throws Exception { def loginJSON = ["providerData": [ "providerId": "facebook", @@ -87,7 +87,7 @@ class FacebookSocialLoginIT extends AbstractIT { * Attempts to login with an invalid access token, and should fail. * @throws Exception */ - @Test(groups = ["v100", "json"]) + @Test(groups = ["v100", "json", "stormpath_only"]) void loginWithInvalidFacebookAccessTokenFails() throws Exception { def loginJSON = ["providerData": [ "providerId": "facebook", @@ -108,7 +108,7 @@ class FacebookSocialLoginIT extends AbstractIT { * Attempts to use grant_type=stormpath_social with the Facebook Access Token, and expects an access_token back. * @throws Exception */ - @Test(groups = ["v100", "json"]) + @Test(groups = ["v100", "json", "stormpath_only"]) void loginWithGrantTypeStormpathSocialSucceeds() throws Exception { given()