Overcoming OAuth Authentication Challenges in Performance Testing

By Vikram Kumar Jelloji 5 min read

Security is one of the most important aspects of modern-day digital applications. No matter how well the apps are designed to meet business objectives, there is a constant risk of compliance issues and credibility loss if the security is not addressed beforehand. Hence it is vital to have a robust means of authorization for applications. OAuth is one of the most effective ways to ensure application security.

What is OAuth?

OAuth is open-standard authorization protocol that provides secure access to the designated applications. For example, if you are prompted to log in with your Facebook credentials to an application X, it is okay for application X to access your Facebook profile or post updates to your timeline, without providing your Facebook password to application X. Even in the event of security breach of application X, your password remains safe.

Here are some recent statistics that further validate the importance of page load speed. ||  Sign up today for the latest news about your Digital Transformation.

Here’s an example of how it works:

  • The user goes to website A.
  • On website A, the user is given the option to sign in by using website B (Google, Facebook, LinkedIn, GitHub, etc.)
  • The user confirms that the information obtained from website B (i.e. first name and last name) can be used by website A.
  • The user is known on website A by the credentials (i.e., first name and last name) that he set up on website B.

This entire process is known as the flow. As you can see, the end-user doesn’t need to enter his/her credentials on website A, which makes it far more secure. OAuth doesn’t use password authentication but instead uses authorization tokens to establish an identity between consumers and service providers, as depicted below.

Overcoming OAuth Authentication Challenges in Performance Testing

Want more insights like this?

We’re on a mission to provide businesses like your’s customer experience, digital marketing, and commerce tips, tricks, and industry-leading knowledge to help you build a great brand. Don’t miss a post. Sign up for our biweekly newsletter.
Blog Subscription
Name
By signing up, you are providing consent for TA Digital to send marketing communications. You can visit our Privacy Center to choose your preferences.

Challenges encountered in using OAuth for a performance test

OAuth2.0 has become the most commonly used authentication framework for Restful API services and web applications. While this authentication methodology has apparent security benefits, it does come with challenges during application flow automation or performance testing. Authorization with dynamic access token obtained from the initial response, should be used in subsequent requests for successful authentication. Let’s understand a practical scenario and the approach adopted to overcome the challenges faced during performance testing.

JMeter is the most popular open-source performance testing that uses regular expressions for extracting values and performing operations on the extracted content from responses. The below approach sheds light on how to handle and use dynamic content in JMeter:

Configurations and recording script in JMeter

  • Setting the proxy connection (configure Firefox to use JMeter proxy)
    • Open Firefox
    • Go to the ‘Preferences’ menu
    • Click on the ‘Advanced’ tab
    • Then ‘Network’ tab
    • In the ’Connection‘ section, click on ’Settings’
    • Select the ’Manual proxy configuration‘ Radio’ button
    • Set HTTP Proxy to ’localhost‘ and Port to ’8080’
  • Record the Login script through JMeter
    • Add the required elements of JMeter like thread group, Http request default, Https script recorder, and cookie manager.
    • Then record the script by using Https script recorder.

Here are the best tips and tricks on How to Video Record Selenium Test Cases||  Our Quality Assurance Team helps our clients deliver tightly integrated insights, technologies, and best practice processes.

Handling OAuth challenges

1. Handling OAuth challenges

Once the recording is complete, the script will be executed and validated for a response. Dynamic content such as CSRF token, process ID, token, etc. are extracted using ‘Regular expression extractor’. The below snapshots show the usage of regular expressions for handling dynamic content and correlating to subsequent requests.

a) Extracting the SS-Token

Overcoming OAuth Authentication Challenges in Performance Testing

In a similar fashion, we need to extract all the dynamic values and correlate to the requests.

b) Passing the dynamic values in the subsequent requests in payload

Overcoming OAuth Authentication Challenges in Performance Testing

c) Passing the dynamic values in ‘Request Header’ for authorization

Overcoming OAuth Authentication Challenges in Performance Testing

Sometimes JMeter’s http cookie manager might not be able to store the complete cookie information. Some of the values that might not be present in JMeter’s cookies are related to user login. Hence, the cookie needs to be updated with the missing values for successful authentication. The sample snapshot below shows the missing elements in cookie captured in JMeter.

Overcoming OAuth Authentication Challenges in Performance Testing

Below is the process to updating cookies.

2. Cookie insertion through JSR223 Pre-processor

Add HTTP cookie manager and set the cookie policy to standard.

Now let’s get the cookie manager element through a JSR223 pre-processor. The following sentences allow you to retrieve the cookie manager into a variable:

  • Import the package org. apache. jmeter.protocl.http.controlGet cookie manager import org. apache. jmeter. protocol. http.control.
  • Activate the cookie manager from the test manager into the cm variable by invoking the getCookieManager () method
    • CookieManager cm = sampler. getCookieManager ()
  • Now create the cookie by adding the following line into the pre-processor script.
    • Cookie cookie = new Cookie(“<NAME>”,”<VALUE>”,”<HOST>”,”/”,false/true, 1557578515);
    • Name = cookie name
    • Value – cookie value
    • Host = domain address
    • / = The path within the domain where the cookie is valid. Set to /.
    • True/False = A boolean value indicating if a secure connection is needed to access the cookie
  • Then add the cookie by using the following command
    • cm.add(cookie);

Note: We can also add the cookie values using a text file

We will create a cookie.txt file consisting of all the values, placing it on the same directory where the script is.

cm.addFile (“path of the text file”);

ex: cm. addFile(“C:/work/jmeter-scripts-samples/cookie.txt”)

Overcoming OAuth Authentication Challenges in Performance Testing

The approach mentioned above provides a solution to the authentication challenge in performance testing.

Want more insights like this?

We’re on a mission to provide businesses like your’s customer experience, digital marketing, and commerce tips, tricks, and industry-leading knowledge to help you build a great brand. Don’t miss a post. Sign up for our biweekly newsletter.
Blog Subscription
Name
By signing up, you are providing consent for TA Digital to send marketing communications. You can visit our Privacy Center to choose your preferences.

Get help from our experts

Over the past 20 years, we have completed thousands of digital projects globally. We have one of the largest and deepest multi-solutions digital consulting teams in the world. Our proprietary processes and years of Digital Experience expertise have earned us a 97% customer satisfaction rating with our clients ranging from Global Fortune 1000 to Mid-Market Enterprises, leading educational institutions, and Non-Profits.

DesignRush has recognized TA Digital as a top Web Design Agency.

About TA Digital

TA Digital is the only global boutique agency that delivers the “best of both worlds” to clients seeking to achieve organizational success through digital transformation. Unlike smaller, regional agencies that lack the ability to scale or large organizations that succumb to a quantity-over-quality approach, we offer resource diversity while also providing meticulous attention to the details that enable strategic success.

Over the past 20 years, TA Digital has positioned clients to achieve digital maturity by focusing on data, customer-centricity and exponential return on investment; by melding exceptional user experience and data-driven methodologies with artificial intelligence and machine learning, we enable digital transformations that intelligently build upon the strategies we set into motion. We are known as a global leader that assists marketing and technology executives in understanding the digital ecosystem while identifying cultural and operational gaps within their business – ultimately ushering organizations toward a more mature model and profitable digital landscape.

Recognized in 2013, 2014, 2015, and 2019 Inc. 5000 list as one of the most successful technology companies in the United States, TA Digital is pleased also to share high-level strategic partnerships with world class digital experience platform companies like Adobe, SAP and Salesforce and possess global partnerships with industry leaders such as Sitecore, Episerver, Elastic Path, BigCommerce, AWS, Azure and Coveo.

Vikram Kumar Jelloji

Written By

Vikram Kumar Jelloji