Preparation of Software Performance/Load Test with Keycloak in Place
Performance/load test with Keycloak as the authentication provider is different from the conventional ‘username’ and ‘password’ based authentication method, because Keycloak would expect additional variables/tokens when authenticating.
Pre-Requisites
In order to conduct smooth load test, we must ensure the following Keycloak’s token parameters are set longer than the planned performance/load test duration. We can set these from the Keycloak’s administration console. To be exact, login to our Keycloak’s administration console, go to our realm, then go to ‘Realm Settings’, and finally go to ‘Tokens’:
1. SSO Session Max
2. Access Token Lifespan
3. Access Token Lifespan For Implicit Flow (in case Implicit Flow is used instead of the mostly preferred Authorization Code flow); Authorization Code flow is appropriate for confidential client applications, while Implicit Flow suits better for public client applications.
See below screenshot that depicts token parameters menu.
If our performance/load test script involves idle time event, then we must also set the ‘SSO Session Idle’ to be longer than our idle time, so that the authentication will not expire in the middle of your load test.
Browser Recording and Troubleshooting
I’ve found out that my initial plan to record browsing activities and save the cookie did not work properly, because the browsing recorder, be it JMeter or Blazemeter kept missing the two required tokens, although in case of JMeter, I had set the ‘CookieManager.save.cookies=true’ inside the ‘user.properties’ file located under the JMeter’s ‘bin’ folder. These missing tokens are ‘PHPSESSID’ and ‘s_[keycloak_realm_name]’, so for example if our realm name is ‘master’, then it would be ‘s_master’. ‘PHPSESSID’ is required if we use PHP to establish user’s session.
We could catch the above missing tokens by using a proxy software such as Burp Suite or OWASP ZAP. Therefore, launch the chosen proxy and browse the target URL, which it would then record the login activity/request. In your proxy history, you could find the missing tokens inside the login/authentication request. See below screenshot for an example that utilized Burp Suite.
After we catch the missing tokens and their values, we should add these to our load test script e.g. add these to our JMeter’s jmx file as ones of the request’s parameters. And voila! Now we can run our load test script and stay authenticated during the test.
