Performance testing of OAuth 2.0 secured APIs using JMeter
- May 08, 2020
Introduction
There are two main keywords in the title of this tech article. One is OAuth 2.0, and the other is JMeter. Both terms are familiar, but here’s a refresher:
OAuth 2.0 — According to OAuth’s website, this protocol is not unlike the valet key many of today’s luxury cars come with. It’s a special key you give to parking attendants that, unlike your regular key, won’t allow the car to drive more than a mile or two. Some valet keys won’t open the trunk; others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key while using your regular key to unlock everything.
JMeter — This Apache project can be used as a load testing tool to analyze and measure the performance of a variety of services.
OAuth 2.0 Flow
This is a generic flow, irrespective of the Authorization Grant Type that needs to pass while sending an Authorization Grant request to get the access token.
Based on the flow, you can see that to call an OAuth 2.0 secured API, you first need to call the token URL to get the access token, and then use that access token to call the main API.
One way to do this in JMeter is to use Postman to get the access token, and then use that access token in the main API call implemented in JMeter. It will take extra effort and will hamper the throughput of the application in JMeter.
Let’s see how to implement the API calls in JMeter and how the generated access token is used to call the main API.
JMeter configuration
- Create an HTTP request that corresponds to the API responsible for generating the OAuth Token
- Add an HTTP request element: Thread Group -> Add -> Sampler -> HTTP Request
- Extract the token value using one of two ways:
- Add ‘JSON Extractor’ (Add -> PostProcessors -> JSON Extractor) under the HTTP request. Use it to fetch dynamic access tokens coming from the response.
The configuration is shown below.
- Add ‘Regular Expression Extractor’ (Add -> PostProcessors -> Regular Expression Extractor) under the HTTP request. Use it to fetch the dynamic access token coming from the response.
The configuration is shown below.
- Add ‘JSON Extractor’ (Add -> PostProcessors -> JSON Extractor) under the HTTP request. Use it to fetch dynamic access tokens coming from the response.
This HTTP request calls the token API to get the access token.
This example uses the client credentials grant type. The details below show all the required parameters, including client-id, client-secret, grant_type and scope, that need to pass as parameters.
- Create another HTTP request to call the main API, passing the previously generated access_token from the prior HTTP request.
The configuration for this HTTP request is shown below.
To extract the value of the access_token from the previous HTTP Request, use BeanShell PreProcessor (Add -> PreProcessors -> BeanShell PreProcessors), as shown below. It adds a header in the request of this call, named ‘Authorization’ with the value ‘Bearer ‘ ++ <<generated access token>>
- Use CSV DataSet Config (Add -> Config Element -> CSV DataSet Config) to pass the payload in the request dynamically, as show below.
Summary Report
After configuring the number of threads as one (shown below), you get one request each for HTTPRequestGenerateToken and HTTPRequest Main call.
View Results Tree
The following two graphics show the response of the HTTPRequestGenerateToken call, which you can see in the output.
Response Header
Response Body
— By Peeyush Kandoi