authentication:
  type: bearer
  token: "eyJhbGciOiJIUzI1NiIs..."

authentication:
  type: basic
  username: "testuser"
  password: "${TEST_PASSWORD}"

authentication:
  type: cookie
  cookies:
    session_id: "abc123"
    csrf_token: "xyz789"

authentication:
  type: custom
  headers:
    Authorization: "Bearer ${TOKEN}"
    X-API-Key: "${API_KEY}"

authentication:
  type: login
  login_url: "https://app.example.com/api/auth/login"
  method: POST
  body:
    email: "${TEST_EMAIL}"
    password: "${TEST_PASSWORD}"
  success_indicator: "access_token"
  token_extraction:
    type: json
    path: "data.access_token"
  token_usage:
    header: "Authorization"
    prefix: "Bearer "

authentication:
  users:
    - name: regular_user
      type: bearer
      token: "${USER_TOKEN}"
      roles: [user]

    - name: admin_user
      type: bearer
      token: "${ADMIN_TOKEN}"
      roles: [admin]

    - name: anonymous
      type: none

test_scenarios:
  - user: regular_user
    test: "Can access own resources"
  - user: admin_user
    test: "Can access admin endpoints"
  - user: anonymous
    test: "Cannot access protected endpoints"

session_tests:
  fixation:
    enabled: true
    verify_regeneration: true

session_tests:
  timeout:
    enabled: true
    expected_timeout: 3600  # seconds

authentication:
  type: oauth2
  flow: authorization_code
  client_id: "${OAUTH_CLIENT_ID}"
  client_secret: "${OAUTH_CLIENT_SECRET}"
  token_url: "https://auth.example.com/oauth/token"
  authorize_url: "https://auth.example.com/oauth/authorize"
  scope: "read write"

jwt_testing:
  enabled: true
  tests:
    - algorithm_none
    - weak_secret
    - expired_token
    - missing_claims
  custom_claims:
    test_privilege_escalation: true