Test security with JWT

[asvanberg]

New suggested tests; authorization decision based on incoming JWT in JWS format.

Potential validations;

• No JWT -> 401
• Invalid JWT -> 401
• Valid JWT but lacking certain claim -> 403
• Valid JWT with correct claim -> 200 with sub parameter returned
• All the different standard JWT claims like nbf, exp, and aud.

[Kaliumhexacyanoferrat]

Thanks for the proposal!

We thought about authentication before - what you are proposing is a mixture of validation (an extension to what we do in Http11Probe) and benchmarking. Implementations of JWT auth often require custom code in some frameworks so the results are questionable.

We will consider auth tests in the future but probably not as a first priority.