For AI agents: the complete documentation index is at llms.txt. Markdown versions are available by appending .md or sending Accept: text/markdown.
Reflex Logo
Docs Logo
Enterprise

/

Auth

/

Testing

New in reflex-enterprise v0.9.1.

Testing Guarded Code

When the AuthPlugin is enabled, every non-exempt page, event handler, base field, and computed var is secure by default. The logic worth testing is usually the auth=<callable> authorization checks that decide who may see a value or run a handler.

Because a check is an ordinary function that takes a context object and returns a bool, you can test it directly with no network, IdP, or browser. Use a local mock provider when the OIDC wiring itself is under test.

A check is a function

An authorization check receives a single context object and returns a bool (or an awaitable of one). It reads the user's claims from ctx.auth_user_state.userinfo:

To test it, build a context around an AuthUserState carrying the claims for that case, and call the check. Set the claims on the private _userinfo attribute; the check reads them back through the public userinfo property:

The context classes are exported from reflex_enterprise.auth. Build the one that matches the guarded surface:

ContextConstruct as
VarAuthContextVarAuthContext(auth_user_state=user, field_or_var=None)
EventAuthContextEventAuthContext(auth_user_state=user, event_handler=None, payload={})
PageAuthContextPageAuthContext(auth_user_state=user)

A check typed with the AuthContext union works on any surface. Test it through the simplest matching context, usually VarAuthContext.

Async checks

Async checks are tested the same way. Pass the claims into the test context and await the check:

Use the mock IdP flow below when the OIDC wiring itself or live Reflex state is under test.

End-to-end against a mock IdP

To exercise the OIDC flow, including the login redirect, /callback token exchange, JWKS validation, userinfo fetch, and async checks that touch real state, run the app against a local mock identity provider.

is a small OIDC server that runs in-process. Add it as a dev dependency:

Run it on a background thread and point the OIDC_* env vars at it before the app starts. It accepts any client credentials by default and issues refresh tokens:

Expand

The login flow is browser-driven: redirects, cookies, and websocket state. Exercise it with AppHarness (from reflex.testing) and a browser driver such as Playwright. With the mock_idp fixture above active, drive the auth-specific steps and assert that a protected value is delivered:

The auth_app fixture starts your app under AppHarness with mock_idp active; page is the standard Playwright fixture. oidc-provider-mock also ships a CLI for standalone manual testing.

Built with Reflex