Overcoming OAuth Authentication Challenges in Performance Testing
Security is one of the most important aspects of modern-day digital applications. No matter how well the apps are designed to meet business objectives, there is a constant risk of compliance issues and credibility loss if the security is not addressed beforehand. Hence it is vital to have a robust means of authorization for applications. OAuth is one of the most effective ways to ensure application security.
What is OAuth?
OAuth is open-standard authorization protocol that provides secure access to the designated applications. For example, if you are prompted to log in with your Facebook credentials to an application X, it is okay for application X to access your Facebook profile or post updates to your timeline, without providing your Facebook password to application X. Even in the event of security breach of application X, your password remains safe.
Here’s an example of how it works:
- The user goes to website A.
- On website A, the user is given the option to sign in by using website B (Google, Facebook, LinkedIn, GitHub, etc.)
- The user confirms that the information obtained from website B (i.e. first name and last name) can be used by website A.
- The user is known on website A by the credentials (i.e., first name and last name) that he set up on website B.
This entire process is known as the flow. As you can see, the end-user doesn’t need to enter his/her credentials on website A, which makes it far more secure. OAuth doesn’t use password authentication but instead uses authorization tokens to establish an identity between consumers and service providers, as depicted below.
Challenges encountered in using OAuth for a performance test
OAuth2.0 has become the most commonly used authentication framework for Restful API services and web applications. While this authentication methodology has apparent security benefits, it does come with challenges during application flow automation or performance testing. Authorization with dynamic access token obtained from the initial response, should be used in subsequent requests for successful authentication. Let’s understand a practical scenario and the approach adopted to overcome the challenges faced during performance testing.
JMeter is the most popular open-source performance testing that uses regular expressions for extracting values and performing operations on the extracted content from responses. The below approach sheds light on how to handle and use dynamic content in JMeter:
Configurations and recording script in JMeter
- Setting the proxy connection (configure Firefox to use JMeter proxy)
- Open Firefox
- Go to the ‘Preferences’ menu
- Click on the ‘Advanced’ tab
- Then ‘Network’ tab
- In the ’Connection‘ section, click on ’Settings’
- Select the ’Manual proxy configuration‘ Radio’ button
- Set HTTP Proxy to ’localhost‘ and Port to ’8080’
- Record the Login script through JMeter
- Add the required elements of JMeter like thread group, Http request default, Https script recorder, and cookie manager.
- Then record the script by using Https script recorder.
Here are the best tips and tricks on How to Video Record Selenium Test Cases. || Our Quality Assurance Team helps our clients deliver tightly integrated insights, technologies, and best practice processes.
Handling OAuth challenges
1. Handling OAuth challenges
Once the recording is complete, the script will be executed and validated for a response. Dynamic content such as CSRF token, process ID, token, etc. are extracted using ‘Regular expression extractor’. The below snapshots show the usage of regular expressions for handling dynamic content and correlating to subsequent requests.
a) Extracting the SS-Token
In a similar fashion, we need to extract all the dynamic values and correlate to the requests.
b) Passing the dynamic values in the subsequent requests in payload
c) Passing the dynamic values in ‘Request Header’ for authorization
Sometimes JMeter’s http cookie manager might not be able to store the complete cookie information. Some of the values that might not be present in JMeter’s cookies are related to user login. Hence, the cookie needs to be updated with the missing values for successful authentication. The sample snapshot below shows the missing elements in cookie captured in JMeter.
Below is the process to updating cookies.
2. Cookie insertion through JSR223 Pre-processor
Now let’s get the cookie manager element through a JSR223 pre-processor. The following sentences allow you to retrieve the cookie manager into a variable:
- Import the package org. apache. jmeter.protocl.http.controlGet cookie manager import org. apache. jmeter. protocol. http.control.
- Activate the cookie manager from the test manager into the cm variable by invoking the getCookieManager () method
- CookieManager cm = sampler. getCookieManager ()
- Now create the cookie by adding the following line into the pre-processor script.
- Cookie cookie = new Cookie(“<NAME>”,”<VALUE>”,”<HOST>”,”/”,false/true, 1557578515);
- Name = cookie name
- Value – cookie value
- Host = domain address
- / = The path within the domain where the cookie is valid. Set to /.
- True/False = A boolean value indicating if a secure connection is needed to access the cookie
- Then add the cookie by using the following command
Note: We can also add the cookie values using a text file
We will create a cookie.txt file consisting of all the values, placing it on the same directory where the script is.
cm.addFile (“path of the text file”);
ex: cm. addFile(“C:/work/jmeter-scripts-samples/cookie.txt”)
The approach mentioned above provides a solution to the authentication challenge in performance testing.
Get help from our experts
Over the past 20 years, we have completed thousands of digital projects globally. We have one of the largest and deepest multi-solutions digital consulting teams in the world. Our proprietary processes and years of Digital Experience expertise have earned us a 97% customer satisfaction rating with our clients ranging from Global Fortune 1000 to Mid-Market Enterprises, leading educational institutions, and Non-Profits.
DesignRush has recognized TA Digital as a top Web Design Agency.
About TA Digital
TA Digital is the only global boutique agency that delivers the “best of both worlds” to clients seeking to achieve organizational success through digital transformation. Unlike smaller, regional agencies that lack the ability to scale or large organizations that succumb to a quantity-over-quality approach, we offer resource diversity while also providing meticulous attention to the details that enable strategic success.
Over the past 20 years, TA Digital has positioned clients to achieve digital maturity by focusing on data, customer-centricity and exponential return on investment; by melding exceptional user experience and data-driven methodologies with artificial intelligence and machine learning, we enable digital transformations that intelligently build upon the strategies we set into motion. We are known as a global leader that assists marketing and technology executives in understanding the digital ecosystem while identifying cultural and operational gaps within their business – ultimately ushering organizations toward a more mature model and profitable digital landscape.
Recognized in 2013, 2014, 2015, and 2019 Inc. 5000 list as one of the most successful technology companies in the United States, TA Digital is pleased also to share high-level strategic partnerships with world class digital experience platform companies like Adobe, SAP and Salesforce and possess global partnerships with industry leaders such as Sitecore, Episerver, Elastic Path, BigCommerce, AWS, Azure and Coveo.