Most of the people facing the problem of handling Access Toke in JMeter during the performance testing activities. First we will see how the Access Token works?
When a secured site (HTTPS) is accessed by another site then it requires an Access Token for validation and subsequent communication purpose. The following chain of events occurs in order to Site 1 to access User X’s information on Site 2.
Site 1 registers with Site 2 and obtains a Secret and an ID.
When User X tells Site 1 to access Site 2, User X is sent to Site 2 where it tells Site 2 that the person would indeed like to give Site 1 permissions to specific information.
Site 2 redirects User X back to Site 1, along with an Access Code or Token.
Then Site 1 passes that Access Token along with it’s Secret back to Site 2 in return for a Security Token.
Site 1 then makes requests to Site 2 on behalf of User X by bundling the Security Token along with requests.
Now, we will see the solution to solve Access Token issue in JMeter by following below steps as part of the correlation activity:
While launching Home (Login page) server generates unique code ID and execution ID. These IDs are sent back as a response of first request (homepage URL)
These IDs need to be captured in two separate RegExs.
The next request contains Username, Password, code ID and execution ID. This request is redirected to the authorization server (to get access token).
The redirected request having access token which needs to be captured in another RegEx.
Add a Regular Expression Extractor post-processor in the request referred in step 3. Give a reference name (say accessToken), select “Field to Check” as “URL” or “Response Header” (as per application) and write the regular expression access_token=([\S]+).
Use this access token (generally passes in request header) wherever is required. e.g. Authorization: Bearer ${accessToken}.
I hope you got a basic idea on working of Access Token and handling the Access Token in JMeter.
To USE the access token in the Swagger Docs UI, copy the access token from the response, and paste it into the access token field at the top of the page. Click the oauth2access_token operation located at the top of the list.
It's crucial to handle these tokens securely. Access Tokens can be stored in memory or session storage, while Refresh Tokens, being more sensitive, should be stored securely on your server. Always ensure secure transmission (via HTTPS) and storage (using encryption as necessary) of these tokens.
Step 1 — First, open JMeter and create a new Test Plan.Add a Thread Group to the Test Plan and add a HTTP Request Sampler to the Thread Group. This HTTP Request Sampler will be used to send a request to the server and receive a response that contains the OTP.
You need to extract the token from the previous response using a suitable JMeter Post-Processor, store it into a JMeter Variable and replace recorded hard-coded CSRF token value with the variable from the previous step.
We can use variables in this tab if we defined username and password in a User Defined Variables component. It works for the password, too. Although it's still masked, we can type “${password}” in the password field. We must take care to select the correct Mechanism for authentication.
In general 2nd factor authentication is not something you can bypass using JMeter, in certain cases like TOTP it's possible to calculate the one-time-password using JSR223 Test Elements and Groovy language but in case of "real" 2FA via i.e. Authenticator app it won't be easy, consider asking your app administrators to ...
Jmeter can handle any number of parameters that the application you want to test can handle. More complexity in the requests would mean that there will be a need for more Load generating machines for simulating the expected user load.
We can use variables in this tab if we defined username and password in a User Defined Variables component. It works for the password, too. Although it's still masked, we can type “${password}” in the password field. We must take care to select the correct Mechanism for authentication.
The second way to pass your API token is via a query parameter called key in the URL like below. Use of the X-Dataverse-key HTTP header form is preferred to passing key in the URL because query parameters like key appear in URLs and might accidentally get shared, exposing your API token. (Again it's like a password.)
Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy
Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
