Performance testing of OAuth 2.0 secured APIs using JMeter

  • May 08, 2020

Introduction

There are two main keywords in the title of this tech article. One is OAuth 2.0, and the other is JMeter. Both terms are familiar, but here’s a refresher:

OAuth 2.0 — According to OAuth’s website, this protocol is not unlike the valet key many of today’s luxury cars come with. It’s a special key you give to parking attendants that, unlike your regular key, won’t allow the car to drive more than a mile or two. Some valet keys won’t open the trunk; others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key while using your regular key to unlock everything.

JMeter — This Apache project can be used as a load testing tool to analyze and measure the performance of a variety of services.

OAuth 2.0 Flow

OAuth performance1

This is a generic flow, irrespective of the Authorization Grant Type that needs to pass while sending an Authorization Grant request to get the access token.

Based on the flow, you can see that to call an OAuth 2.0 secured API, you first need to call the token URL to get the access token, and then use that access token to call the main API.

One way to do this in JMeter is to use Postman to get the access token, and then use that access token in the main API call implemented in JMeter. It will take extra effort and will hamper the throughput of the application in JMeter.

Let’s see how to implement the API calls in JMeter and how the generated access token is used to call the main API.

JMeter configuration

  1. Create an HTTP request that corresponds to the API responsible for generating the OAuth Token
    1. Add an HTTP request element: Thread Group -> Add -> Sampler -> HTTP Request
    2. This HTTP request calls the token API to get the access token.

      OAuth performance2

      This example uses the client credentials grant type. The details below show all the required parameters, including client-id, client-secret, grant_type and scope, that need to pass as parameters.

      OAuth performance3
    3. Extract the token value using one of two ways:
      • Add ‘JSON Extractor’ (Add -> PostProcessors -> JSON Extractor) under the HTTP request. Use it to fetch dynamic access tokens coming from the response.

        The configuration is shown below.

        OAuth performance4
      • Add ‘Regular Expression Extractor’ (Add -> PostProcessors -> Regular Expression Extractor) under the HTTP request. Use it to fetch the dynamic access token coming from the response.

        The configuration is shown below.

        OAuth performance5
  2. Create another HTTP request to call the main API, passing the previously generated access_token from the prior HTTP request.

    The configuration for this HTTP request is shown below.

    OAuth performance6

    To extract the value of the access_token from the previous HTTP Request, use BeanShell PreProcessor (Add -> PreProcessors -> BeanShell PreProcessors), as shown below. It adds a header in the request of this call, named ‘Authorization’ with the value ‘Bearer ‘ ++ <<generated access token>>

    OAuth performance7
  3. Use CSV DataSet Config (Add -> Config Element -> CSV DataSet Config) to pass the payload in the request dynamically, as show below.
    OAuth performance8

Summary Report

After configuring the number of threads as one (shown below), you get one request each for HTTPRequestGenerateToken and HTTPRequest Main call.

OAuth performance9

View Results Tree

The following two graphics show the response of the HTTPRequestGenerateToken call, which you can see in the output.

Response Header

OAuth performance10

Response Body

OAuth performance11

— By Peeyush Kandoi