Scanning an API that uses OpenID Connect (OAuth) can be complicated by a number of factors.
In particular, it is common (and secure) for the bearer token granted by an OpenID connect endpoint to be valid for only a short period of time. Once the token has expired, it needs to be refreshed with a refresh token - or the openid-connect flow needs to be re-run to fetch a new valid token.
Mayhem for API does not handle this flow natively, but it is possible to implement using a custom rewrite plugin.
Request Rewrite plugins allow
you to modify the requests generated by Mayhem for API before they are sent to your
Thanks to @Ross-ForAllSecure, on the Mayhem for API team, we have plublished an open source example Request Rewrite plugin that you can use to handle OpenID Connect authentication when testing your API Targets.
Source and the documentation are available in GitHub: