Achieving OAuth 1.0 Authorization in Jmeter latest v5.4.3 - jmeter

I need to do a API testing for my legacy application which is using OAuth 1.0 for authorization. Basically I will get a temporary tokens to get a access token for the API testing.
I am using JMeter 5.4.3 for the testing.
In the HTTP Header Manager, I am adding below header
OAuth oauth_consumer_key="${BbTSConsumerKey}",oauth_consumer_secret="${BbTSConsumerSecret}", oauth_signature_method="HMAC-SHA1",oauth_timestamp="1654865360",oauth_nonce="5348516",oauth_version="1.0",oauth_signature="04Lp%2BF9wZjrFSCjfL%2FLdCepsUYc%3D"
But above line is not working. Getting 401 - Not Authorized error.
Please help how to make Jmeter work with OAuth v1.0.

I don't think you need to add the parameters to the HTTP Header Manager, my expectation is that the values should go to the HTTP Request sampler parameters
Moreover:
timestamp should be a number of seconds since the beginning of Unix epoch, i.e. ${__groovy((System.currentTimeMillis() / 1000) as int,)}
nonce should be random, i.e. ${__Random(1111111,9999999,)}
oauth_signature needs to be calculated, not hard-coded, the most appropriate test element I can think of is JSR223 PreProcessor
More information:
Apache JMeter Functions - An Introduction
Creating a signature

Related

SSO Authentication for Login Failed in JMeter - 401 Response Code

I'm doing Jmeter scripting for Login flow which is having SSO authentication.
I have correlated almost all the token values like SAML request, SAML response,Request verification token & client id request ,but I'm not getting proper response in the login call.The SSO calls is failing with 401 response code.
When we try to decode the SAML response(using online SAML decoder) which i'm getting it from the previous request call response in Jmeter, the Status is showing as Responder. but the same is showing as Success when we decode the SAML response which we are getting it from the LoadRunner or Developer Console
Note : The same script is working fine in Load Runner
Can Someone help me
enter image description here
If "the same script is working fine in Load Runner" and doesn't work in JMeter - this is not the same script. You need to figure out what are the differences and amend your JMeter configuration so JMeter will send the same requests as Load Runner (or even better a real browser)
I have correlated almost all the token values
"almost all" is not sufficient, you need to correlate all the dynamic parameters.
Use a 3rd-party sniffer tool like Fiddler or Wireshark to capture the requests originating from JMeter and Load Runner (or real browser).
The requests must be exactly the same (apart from dynamic values which need to be correlated). Once you send the same request you will get the same response. Pay attention to literally everything: not only request body matters, take a look at URL query strings, request headers and so on.

Invalid state parameter in Jmeter

I am implementing load testing in Jmeter for my web application which uses google oauth.
I have generated access token and refresh token and passed it to my HTTP request, but the request fails with an Invalid state parameter.
I checked various posts on passing a random string of 30 characters but the value is not being recognised.
I am not sure how to use the google API library for python to generate one as there is only snippet available in the official site and am quite unsure if that value will be recognised.
Any suggestions on how to achieve my usecase?
We are not telepathic enough to guess how exactly you "generated" the tokens and how they're "passed to your HTTP request"
My expectation is that you need to pass only one token: the "access" one "to your HTTP Request", refresh token can be exchanged for the new access token when the previous one expires. Passing 2 tokens doesn't make sense and may cause the problem you're facing.
As per the main page of JMeter project
The Apache JMeter™ application is open source software, a 100% pure Java application designed to load test functional behavior and measure performance. It was originally designed for testing Web Applications but has since expanded to other test functions.
hence you cannot use Python libraries directly in JMeter, either look for a Java library, I think this one is a good choice and use it from JSR223 Test Elements
If you still want (or have to) use Python - you can run Python scripts from JMeter using OS Process Sampler

JMeter problem at calling out stored token during real time execution

I am currently using JMeter to perform a basic performance test on a web-application.
For the construction of such, I have used the BlazeMeter recorder as an easy and complete way of building my test plan, in which recorded the static token used at that particular moment of the recording.
But, considering that tokens are generated by each login, this requires me to find a way to successfully store the token from each session (done) and then properly call it out to each individual HTTP Request (this is the obstacle).
Below in my screenshot, is how I have my test plan set, and also how am I calling the already stored token towards the 2nd HTTP POST Request that requires the real-time token, otherwise it will deliver a 401 error. Despite such, when attempting to call and apply the stored token, it now returns a 400 error for reasons that are unknown to me...
I believe the solution is by slightly changing the way I am calling the stored token?
You're getting response as JSON so it makes more sense to use JSON Extractor instead of the Regular Expression Extractor, the relevant configuration would be something like:
Also there is no need to do any scripting, if you add a HTTP Header Manager as a child of the request which requires authentication and configure it like:

Form based Authentication- Jmeter

I am testing an API endpoint for which there is a form based authentication(for additional security). Can someone suggest how to handle form based authentication in Jmeter. I tried with HTTP Authorization Manage, still my request is failing.
You basically need to submit a HTML Form by sending a HTTP POST request using JMeter's HTTP Request sampler.
Given you provide correct credentials you should be authorized for further actions.
In some cases you will need to perform correlation as you might have to provide a dynamic parameter (or several) along with the credentials as your application can use these parameters for i.e. CSRF protection or for other reasons so make sure to carefully inspect the request sent by the real browser (you can capture the original request using browser developer tools) and if there are any dynamic parameters - you should extract them from the previous response using a suitable JMeter Post-Processor
Once you successfully log in it should be enough to add HTTP Cookie Manager to maintain the user session.

How to pass the http request auto generated _token value (value generated under http request, not in response) to next http request in jmeter

I have a http request that auto generates '_token' value with the request(this value generated under http request only, not in the response of this request) and this '_token' value needs to be passed to the next http request header as 'authorization'. I know we can use JSON/RegEx post processor if it is in Response of the first http request. However how it be be correlated if the dynamic value is in http request.
Please suggest how can we achieve this in jmeter.
Most likely you are trying to load test an application which uses OAuth and depending on OAuth version and your application setup there could be different options. If the token is permanent - you can just put it into HTTP Header Manager, however if the token expires more or less frequently - you will need to implement OAuth flow using JMeter (in some cases you will need some extras like scripting, kick off browser to open a redirect URL or use OAuth client libraries). Check out How to Run Performance Tests on OAuth Secured Apps with JMeter article for details.
I would suggest contacting your application developers to learn about OAuth version, settings, required client id/secret, etc.

Resources