There's nothing that prohibits you from continuing to test a REST API manually when it uses OAuth authentication. OAuth simply requires that you send additional parameters: first that you negotiate the OAuth dance to get a request token and exchange it for an access token and then that each request has the necessary OAuth parameters (oauth_consumer_key
, oauth_token
, oauth_signature_method
, oauth_signature
, oauth_timestamp
and oauth_nonce
). You'd need to use a separate tool to do the signing (unless the product you're testing is willing to use PLAINTEXT
as the signature method), but you could simply copy all of these values in manually to your current manual tool.
If that sounds like a lot of work, you're right! I think this is a good time to switch to automated testing. Libraries exist for most languages to consume OAuth services programmatically and that would handle all of those parameters and signing for you. You could build a generic tool that let a manual tester specify URLs and parameters by hand, or go farther and write something that did all the generation and validation automatically.
Update: for doing some exploratory testing from the command line, it would certainly be helpful to have a curl
-like tool that handles some of the OAuth paramaters and signing. Check out oauth-proxy which may work for you -- it's intended exactly for exploring APIs on the command line. Or you may find that for your particular explorations, you want to build a script around oauth-proxy or a tool on top of one of the many OAuth libraries for different languages.