Mid OAuth Tester\n\nMy Company · Hybrid · Full-time\n\nAs a Mid OAuth Tester at My Company, you will be embedded within the Engineering department and serve as a dedicated quality authority for all identity and authorization workflows. You will design, execute, and maintain test strategies that verify the correctness, security, and performance of OAuth 2.0, OpenID Connect (OIDC), and related token-based authentication systems that power our products.\n\nYour work directly influences the security posture of My Company's platform and the trust our customers place in us. You will collaborate closely with backend engineers, security architects, and product managers to identify vulnerabilities, edge cases, and compliance gaps before they reach production. Your findings will shape engineering decisions and drive measurable improvements in authorization reliability.\n\nThis is a hybrid, full-time position. You will operate with a high degree of autonomy, contribute to a culture of continuous quality improvement, and have clear pathways to grow into senior testing or security engineering roles as the team scales.\n\n## Responsibilities\n\n- Design, write, and execute manual and automated test cases covering OAuth 2.0 grant types (Authorization Code, Client Credentials, Device Code, PKCE, Implicit) and OIDC flows.\n- Perform security-focused testing including token leakage analysis, redirect URI validation, scope enforcement, token expiry and revocation testing, and replay attack simulations.\n- Develop and maintain automated test suites using tools such as Postman, Newman, REST Assured, or custom scripts integrated into CI/CD pipelines.\n- Document detailed bug reports with reproducible steps, severity assessments, and recommended mitigations, then track issues through resolution in Jira or equivalent tooling.\n- Collaborate with backend engineers during sprint planning and code reviews to identify testable acceptance criteria for OAuth-related features and fixes.\n- Conduct regression testing after each release cycle to confirm that previously validated authorization flows remain intact and no regressions have been introduced.\n- Participate in threat modeling sessions to proactively surface identity and access management risks specific to OAuth and OIDC implementations.\n- Maintain living test documentation including test plans, test case libraries, traceability matrices, and post-release quality reports.\n- Evaluate third-party identity providers (e.g., Auth0, Okta, Keycloak) during integration testing to ensure spec-compliant interoperability with My Company's authorization server.\n- Contribute to internal knowledge sharing by writing runbooks, test strategy documents, and lunch-and-learn presentations on OAuth security testing best practices.\n\n## Requirements\n\n- 3–5 years of professional software testing or QA experience, with at least 2 years focused on API or security testing.\n- Demonstrated hands-on experience testing OAuth 2.0 authorization flows and OpenID Connect protocols, including token introspection, refresh token handling, and JWTs.\n- Proficiency with API testing tools such as Postman, Insomnia, or curl, and the ability to craft raw HTTP requests to simulate OAuth client behavior.\n- Working knowledge of authentication security vulnerabilities such as CSRF on OAuth endpoints, open redirectors, insufficient scope validation, and token fixation attacks.\n- Ability to read and interpret OAuth 2.0 (RFC 6749), PKCE (RFC 7636), and OIDC Core specifications to derive testable assertions.\n- Experience writing and maintaining automated test scripts in at least one language (Python, JavaScript/TypeScript, or Java) within a CI/CD workflow (GitHub Actions, GitLab CI, or Jenkins).\n- Familiarity with identity provider configuration and administrative consoles (Auth0, Okta, Keycloak, Azure AD, or similar).\n- Strong written communication skills with the ability to produce clear, actionable defect reports and test summary documents for both technical and non-technical audiences.\n\n## Nice to Have\n\n- Relevant certifications such as ISTQB Advanced Level – Security Tester, CompTIA Security+, or Certified Ethical Hacker (CEH).\n- Experience with SAML 2.0 and federated identity protocols, enabling cross-protocol comparison testing.\n- Familiarity with OWASP Top 10 and OWASP API Security Top 10, particularly as they relate to broken authentication and broken object-level authorization.\n- Exposure to performance and load testing of token issuance endpoints using tools such as k6, Locust, or JMeter.\n- Prior experience in a remote-first engineering team with asynchronous collaboration practices using tools like Notion, Confluence, or Linear.\n- Understanding of mTLS (Mutual TLS) and Demonstration of Proof-of-Possession (DPoP) as emerging OAuth security mechanisms.\n- Contributions to open-source testing frameworks or public vulnerability disclosures related to identity and access management.\n\n## Benefits\n\n- Competitive base salary with an annual performance-based bonus program.\n- Comprehensive health, dental, and vision insurance with premiums covered for employees and dependents.\n- 401(k) retirement plan with company matching up to 4% of annual salary, vested immediately.\n- Flexible PTO policy with a minimum encouraged usage of 15 days per year, plus 10 company-observed holidays.\n- 16 weeks of fully paid parental leave for all parents, regardless of gender or family structure.\n- $2,500 annual learning and development budget for conferences, certifications, courses, or technical books.\n- Access to an Employee Assistance Program (EAP) providing mental health, financial, and legal support services.\n\nEqual Employment Opportunity: My Company is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, age, genetic information, or any other characteristic protected by applicable federal, state, or local law.