qa-auth-flows
Auth flow testing: 6 skills (auth0-tests, keycloak-tests, mfa-flow-test-author, oauth-flow-test-author, okta-tests, session-management-test-author) and 1 agent (token-storage-security-critic). Anchored on OAuth 2.0 / RFC 7636 PKCE / RFC 9700 / OWASP ASVS V3.
Install this plugin
/plugin install qa-auth-flows@testland-qaPart of role bundle: qa-role-backend
qa-auth-flows
Auth flow testing. Three per-IdP skill wrappers (Keycloak, Auth0, Okta) plus two build-an-X workflow skills (oauth-flow-test-author, session-management-test-author) that codify the IdP-independent patterns from RFC 6749 / RFC 7636 PKCE / RFC 9700 Security BCP / OWASP ASVS V3.
Universal in B2B/B2C; high-defect surface. Pairs with qa-shift-left/threat-model-from-spec (planning) - this plugin covers the runtime validation.
Components
| Type | Name | Description |
|---|---|---|
| Agent | token-storage-security-critic | Adversarial critic: scans source for token-storage and session anti-patterns (localStorage/sessionStorage JWTs, missing httpOnly/Secure/SameSite, tokens in logs or URLs, missing rotation/expiry, JS-exposed refresh tokens); emits BLOCK / PASS |
| Skill | keycloak-tests | Testcontainers Keycloak; OIDC token endpoint; introspection; Admin REST API; UMA permission tickets |
| Skill | auth0-tests | Tenant strategy; Auth0 Deploy CLI for env parity; Action / Rules unit tests; mock OIDC server alternative |
| Skill | okta-tests | Org strategy; Terraform Okta provider for config parity; OIE workflows; SCIM provisioning; scoped API tokens |
| Skill | oauth-flow-test-author | Build-an-X for OAuth/OIDC: auth-code + PKCE (S256), state CSRF defense, refresh-token rotation + reuse detection, OIDC nonce, scope-grant verification, redirect-URI strict matching |
| Skill | session-management-test-author | Build-an-X for sessions per OWASP ASVS V3: cookie attrs, session-fixation defense, absolute + idle timeout, concurrent-session limits, server-side logout invalidation, CSRF, session binding |
| Skill | mfa-flow-test-author | MFA flow test authoring: TOTP (RFC 6238), HOTP, OTP, and WebAuthn/passkey via virtual authenticator. |
Install
/plugin marketplace add testland/qa
/plugin install qa-auth-flows@testland-qaSkills
auth0-tests
Authors tests against Auth0 - uses tenant isolation strategy (per-PR tenant or shared dev tenant with namespaced data); exercises Universal Login + auth-code-with-PKCE + client-credentials + RO-password (legacy) flows; tests Action scripts (Auth0's serverless extension hooks); tests Rules / Hooks (deprecated but still common); integrates with Auth0 Deploy CLI (`a0deploy`) for environment parity. Use when the user works with Auth0 SaaS and needs unit / integration tests for tenant config, auth flows, or Action scripts. Does not cover session lifecycle (refresh-token rotation, silent re-auth): use session-management-test-author for that. Differentiates from oauth-flow-test-author by Auth0-tenant specifics: Action scripts, Rules / Hooks, a0deploy config-drift, and Universal Login.
keycloak-tests
Authors and runs integration tests against Keycloak - uses Testcontainers Keycloak module to spin up an isolated server per test class, imports realm JSON for fixtures, exercises OIDC discovery / token endpoint / token introspection / admin REST API; tests password / authorization-code / client-credentials / token-exchange flows; covers UMA (User-Managed Access) permission tickets. Use when the user works with self-hosted Keycloak and needs unit / integration tests for realms, clients, users, or auth flows.
mfa-flow-test-author
Build-an-X workflow for authoring automated tests covering multi-factor authentication flows: TOTP (RFC 6238, deterministic codes from a known secret + fixed time), HOTP (RFC 4226, counter-based), SMS/email OTP, WebAuthn/passkey registration and authentication via Chrome DevTools Protocol virtual authenticator (WebAuthn L2 §11), recovery codes, MFA enrollment, and step-up authentication challenges. Use when the team needs end-to-end MFA test coverage beyond what oauth-flow-test-author covers, or when introducing a new second factor to an existing auth surface.
oauth-flow-test-author
Build-an-X for OAuth 2.0 / OIDC flow tests - authorization-code with PKCE per RFC 7636 (canonical for browser/native/mobile clients), client-credentials per RFC 6749 §1.3.4 (M2M), refresh-token rotation per RFC 9700 (token-binding + reuse-detection), state parameter for CSRF defense per RFC 6749 §10.12, nonce parameter for OIDC ID-token replay defense, scope-grant verification, redirect-URI strict matching. Use when authoring tests for any OAuth/OIDC client or resource server, regardless of the underlying IdP (Keycloak / Auth0 / Okta / mock).
okta-tests
Authors tests against Okta - uses org-isolation strategy (per-PR org via Okta Developer Edition vs shared org with namespaced data); tests sign-in policy + MFA enforcement; exercises Okta Identity Engine (OIE) workflows including factor enrollment, recovery flows, and SCIM provisioning; tests scoped API tokens for least-privilege automation. Use when the user works with Okta as IdP and needs unit / integration tests for org config, sign-in policies, or OIE workflows.
session-management-test-author
Build-an-X for session management tests per OWASP ASVS V3 - cookie attribute coverage (Secure / HttpOnly / SameSite=Strict|Lax), session-fixation defense (regenerate session ID on login), absolute + idle timeout, concurrent-session limits, logout invalidation across devices, CSRF token handling, session-binding to TLS / IP / device fingerprint. Use when authoring tests for any web app's session layer, regardless of framework (Express session, Django sessions, Spring Security, ASP.NET, Rails, etc.).