Ilesh Darji

Testing JWT, OAuth, and SSO Authentication with Cypress

Authentication flows in modern web apps are getting more complex — from JWT tokens to OAuth2 redirects to SSO logins. Testing these flows in Cypress requires different strategies based on how the authentication is implemented.

In this post, you’ll learn practical approaches to test JWT, OAuth, and SSO authentication securely and effectively with Cypress.

🔐 JWT Authentication (JSON Web Token)

JWT is widely used for token-based auth in SPAs. After login, a token is returned and stored in localStorage or cookies.

✅ Strategy: Simulate Login and Set Token

beforeEach(() => {
  cy.request('POST', '/api/login', {
    email: 'user@example.com',
    password: 'password123'
  }).then((response) => {
    window.localStorage.setItem('token', response.body.token)
  })
})

You can also stub token values if you don’t want to hit the backend:

beforeEach(() => {
  window.localStorage.setItem('token', 'mock-jwt-token')
})

🔐 OAuth2 Authentication

OAuth often involves redirecting users to an external provider like Google or GitHub, which complicates automated testing.

🛠 Strategy: Bypass OAuth Redirect

  1. Mock the final callback response
  2. Use cy.intercept() to fake the OAuth provider’s callback
cy.intercept('GET', '/auth/callback', {
  statusCode: 200,
  body: { token: 'fake-oauth-token' }
}).as('oauthCallback')

cy.visit('/auth/callback')
cy.wait('@oauthCallback')

🔐 SSO (Single Sign-On)

SSO combines multiple auth systems and often uses external login pages.

🧪 Strategy: Skip UI Login & Inject Session

SSO login flows can be bypassed in tests using backend stubs or token injection:

beforeEach(() => {
  cy.setCookie('sso_session', 'mock-session-id')
})

For enterprise apps, coordinate with backend teams to expose a test-only endpoint that sets auth cookies.

🧠 General Tips

  • Always test both success and failure cases
  • Avoid relying on third-party login pages in E2E tests
  • Use feature flags or mock auth in lower environments
  • Store secrets like tokens using Cypress.env() and CI secrets

🚀 Final Thoughts

While Cypress can’t fully emulate external auth redirects like a real user, you can still test your app’s behavior after authentication using token stubbing, request mocks, and session injection.

With the right approach, even the most complex auth flows can be automated safely and reliably.

Next in Series: Testing AI-Driven and Dynamic UI Applications with Cypress

March 24, 2025 cypress authentication jwt oauth sso testing