Performance Testing on APIs Secured with OAuth 2.0 Client Credentials Grant Type Using JMeter

Overview

The client credentials grant type is a common OAuth 2.0 authentication method used for server-to-server communication. To evaluate the efficiency and scalability of these secured APIs, we will employ Apache JMeter, a widely used open-source performance testing tool. We aim to measure the APIs’ responsiveness, throughput, and overall performance under different load conditions through a series of test scenarios and simulations. By analysing the results, we can identify potential bottlenecks, optimize resource allocation, and ensure that the APIs can handle the expected traffic levels effectively.

Pre Requisites

1. JMeter Taurus Performance task implemented on the Azure DevOps pipeline.
2. Taurus YAML file is configured in the Azure DevOps pipeline.
3. The pipeline job generates the JMeter HTML reports as an artefact.
4. KeyVault is created in the Azure Portal.
5. A secret key is generated in the KeyVault created in the previous step.

How it Works

Client Credentials Flow

The Client Credentials Flow is utilized by machine-to-machine (M2M) applications to establish authentication by transmitting their unique Client ID and Client Secret. This authentication process enables them to obtain a token.

1. In the case of your application, it authenticates itself with the oauth0 Authorization Server by presenting its own Client ID and Client Secret through the designated /OAuth/token endpoint.
2. The Auth0 Authorization Server undertakes the verification of the provided Client ID and Client Secret to ensure their validity.
3. Upon successful validation, the Auth0 Authorization Server issues an Access Token, which serves as a credential for subsequent operations.
4. Using the Access Token, your application gains the capability to make API calls on its behalf, carrying out actions and requesting information.
5. Upon receiving these calls, the API responds with the requested data per the application’s requirements.

HTTP request for an access token

1. Create an HTTP Request corresponding to the API that is responsible for generating the OAuth Token
2. Add an HTTP Request element: Thread Group -> Add -> Sampler -> HTTP Request
3. The above HTTP Request is to call the token API to get the access token.
4. Add the parameter content-Type.
5. Add the parameter client-id.
6. Add the parameter client-secret.
7. Add the parameter grant_type.
8. Add the parameter scope.

JSON Extractor to extract the access token

This step when executed parses the JSON response and retrieves the ‘accesstoken’ from the response. It saves this token into the variable ‘accessToken’.

1. Add JSON Extractor in Jmeter.
2. Click on the main sample and sub-samples radio button in the JSON Extractor.
3. Add the variable name as ‘accessToken’.
4. Add the JSON Path Expression as ‘$..access_token’
5. Add ‘1’ in the Match no field in JSON Extractor.

HTTP request to call the main API passing the access_token.

1. Create another HTTP Request which we will be using to call the main API passing the access_token which is already generated by the previous HTTP Request
2. Add the HTTP Header Manager
3. Give the name in the name field.
4. Add the header name as ‘Authorization’.
5. Add value as ‘Bearer ${accessToken}’ and click on save.

User-Defined Variables.

Following user-defined variables except “Client_secret” get their value from system environment variables. We would be passing these variables from the Azure DevOps YAML file. The “Client_secret” is fetched from the Azure Key Vault.

Below user-defined variables “Client_secret” gets the value from the Azure Key Vault.

Adding system environment variables to include new variables

1. Access System Properties: Right-click on “This PC” or “My Computer” (depending on your Windows version), then choose “Properties.”
2. Navigate to Advanced System Settings: Click on “Advanced system settings” in the left sidebar.
3. Access Environment Variables: Within the System Properties window, find and click the “Environment Variables” button.
4. Create a New System Variable: Inside the Environment Variables window, locate the “System variables” section, then click “New.”
5. Define Variable Name: In the “Variable name” field, provide the same name as provided in the User Defined variable in JMeter.
6. Define Variable Value: In the “Variable value” field, specify the value for your variable.
7. Save and Confirm Changes: Click “OK” to confirm and save the newly created environment variable.
8. Restart JMeter: In certain cases, you may be required to restart JMeter or your computer to ensure the changes take effect.

Steps to get the secret key from Azure Key Vault

This step retrieves the secret from the Azure Key vault created in Azure Portal.

1. Add the task AzureKeyVault@2 as below.
2. Provide the Azure subscription value with your Azure subscription name.
3. Provide the “KeyVaultName” created in Azure portal to generate the secret.
4. Provide the “secretsFilter” with the secret name present in the KeyVault.

- task: AzureKeyVault@2
  displayName: 'Azure Key Vault: kv-sdc-dev'
  inputs:
    azureSubscription: 'Subscription Name'
    KeyVaultName: 'Name of Keyvault'
    SecretsFilter: 'Scerets Filter'

Steps to replace the secret in the .jmx file.

1. Add the Task ‘qetza.replacetokens.replacetokens-task.replacetokens@3’ as below.
2. Provide the root directory of the .jmx file.
3. Provide the target files as ‘*.jmx’.
4. The task searches for the variable ‘#{sdc-aad-cs}#’ in all the .jmx files present in the repo and replaces it with the client secret.

- task: qetza.replacetokens.replacetokens-task.replacetokens@3
  displayName: 'Replace Secret in *.jmx'
  inputs:
    rootDirectory: .azurepipeline/testcases/jmeter
    targetFiles: '*.jmx'

Pass the user-defined variables from the build release YAML

Add the variable values in the “client-credential-oauth.yml” file as shown below.

variables:
  content-Type: 
  grant_type:
  client_id:
  scope: 	
  clientId: 	
  clientRef:
  clientData:
  callbackUrl:
  tokenEndPointPath:
  tokenEndPointServerName:
  APIServerName:
  APIPath:

Conclusion

That’s it, these are the steps which need to be performed to do Performance Testing of OAuth 2.0 client credential-secured APIs using JMeter.

About the author:

Rajeev Kalal is a Test Automation Consultant at Version 1.