Performance Testing of OAuth 2.0 authorization code secured APIs using JMeter

The Apache JMeter java application is designed to test for functional behaviour and measure performance. Implementation of API authentication makes it even more interesting as we need to write scripts to get the access tokens that can be used later to get resources from the APIs. OAuth 2.0 authorization code grant type authentication implementation requires User-based authentication. This is achieved using the Selenium, JavaScript and web driver sampler in JMeter.

What is OAuth 2.0?

The authorization framework is a protocol that allows a user to grant a third-party website or application access to the user’s protected resources. It is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user without necessarily revealing their long-term credentials or even their identity.

Prerequisites

1. Basic knowledge about how JMeter works.
2. Selenium web driver basic knowledge.
3. JDK should be installed.
4. Install selenium/Web driver support plugin using plugin manager in JMeter.
5. Environment variables are set up.

How it Works

1. The Native app opens the authorization endpoint.
2. A browser dialogue pops up asking for a username and password.
3. The user enters the username and password.
4. The authorization endpoint returns an authorization code.
5. The request is sent to the token endpoint providing the authorization code, client id, scope and origin.
6. The token endpoint returns an access token and a refresh token.
7. Using this access token in the authorization header a request is made to the Web API.
8. Web API validates the token and returns secured data and resources to the app.

Authorization code flow

1. Add a Thread Group under Test Plan.
2. Add WebDriver Sampler.
3. Add a Chrome Driver Config.
4. Set the path to the Chrome driver.exe in Chrome Driver Config as below.

5. Add View Results Tree.

6. Add User Definer Variables from config Elements in JMeter.

7. Add Debug Sampler.

JMeter script to get the access token

1. Put the code in the Script section in the WebDriver Sampler.
2. In the script, the web driver opens the authorization endpoint URL.
3. The script enters the username and clicks on the next button.
4. The script enters the password and clicks on the sign-in button.
5. Clicks the yes button in the popup window.
6. After the user authentication is complete the function ‘allstorage()’ used in the script fetches the token storage value for the refresh token key from the browser’s local storage.
7. The token storage value multiple data in JSON format.
8. Using the “JSON.parse” method we fetch only the secret value from the JSON and save it in a variable called “refress_Token”.

HTTP request to get the access token

Create an HTTP POST request to Token end point URL as below.

1. Add the parameters such as ‘cliend_id’, ‘scope’, ‘grant_type’ and ‘refresh_token’ retrieved from the above web driver sampler script.
2. Add the HTTP header manager with the origin name value in the get token request as below.

3. Add the JSON extractor to retrieve the access token from the JSON response of the get access token HTTP request as below.

Send the Access token with API requests

1. Create a new HTTP Request
2. Add Path, server name and request body.
3. Add an HTTP Header Manager in the HTTP Request Sampler as below

4. In the HTTP header manager add the Authorization header name and value as ‘Bearer ${access_token}’

5. Add the Origin header name and value.

6. After sending the request the API authenticates the token and returns secured data and resources to the app.

Conclusion

That’s it, these are the steps which need to be performed to do Performance Testing of OAuth 2.0 authorization code secured APIs using JMeter.

About the author:

Rajeev Kalal is a Test Automation Consultant here at Version 1.