We have an app that has a keycloak login. I want to create a JMeter test that logs in using some credential than do some stuff. the problem is I don't know how to form the POST URL
https://something.something.something.something/auth/realms/test/login-actions/authenticate?session_code=D3XPlFteuLSReLVsPbmCYY8RwqJDPmxb9JI1dBtR1yk&execution=021d7cc9-048c-4f68-a295-6d145597dd8e&client_id=my-react-client&tab_id=ACD97a5Yb50”
How to get the other parameters for the Post URL inside the test. They are not in the previous HTTP response (accessing the login page) and there are not in the cookies. I know how to get only the client_id.
Keycloak supports 2 authentication protocols:
OpenID Connect
SAML 2.0
Looking into your URL it's utterly like that your Keycloak instance is using OpenID and looking into OpenID Configuration Options
client-id: <CLIENT_ID>
# the secret associated to the 'client' application
So my expectation is that this is something which doesn't change so feel free to keep it as my-react-client
Just in case get familiarized with OpenID Connect - How to Load Test with JMeter to learn more about the concept of bypassing login challenge in JMeter tests when it comes to external authentication providers.
Related
How to perform Load / Performance testing on website which using Okta Authentication ?
I am able to use JMeter for this test or it will give me error ?
Did anyone done this kind of test with another tool or ?
I have done some test but never use and I dont know how to use if the website have Okta Authentication
Okta might have many faces and as long as your website doesn't use Okta's MFA it should be possible to authenticate/authorize using JMeter.
As per Okta documentation:
There are two main types of authentication that you can perform with Okta:
The OpenID Connect (OIDC) protocol is built on the OAuth 2.0 protocol and helps authenticate users and convey information about them. It's also more opinionated than plain OAuth 2.0, for example in its scope definitions.
The OAuth 2.0 protocol controls authorization to access a protected resource, like your web app, native app, or API service.
In both cases it's a matter of proper correlation, i.e. see OpenID Connect - How to Load Test with JMeter for example challenge and solution.
If I deploy my service in (cloud run) as no-allow-unauthenticated, I can add a user with cloud run invoker role to secure the API. Then user can login to gcloud and set the token in the authorization header to access the service.
My question here is, can I send the Google authorization token via a different header instead of authorization?
The reason why I am using google token is to protect staging(development) env to only allow access to the dev team. My Spring Boot app doesn't need any protection under google platform as it has its own oAuth mechanism - authorization header is being used by spring boot.
Thanks
After a lot time spent, I decided to configure spring boots to deal with another Authorization header name. I left Authorization for GCP.
So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. Now we are building a third application which needs SSO to authenticate the same user and that is fine too.
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. This seems ok too, however I am not sure how API server is going to authorise that token (a hint on this would be great).
But the main problem is we want this request to be sent on behalf of the user. This is because API server needs to audit all user's activities. How can we achieve this using Spring Boot/OAuth2 and JWT Token?
I went through documentation and I know about #EnableOauth2Sso #EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not.
If there is no implementation for this scenario, what do you recommend? Any experience you have had on this, can you please share?
Your API server plays the role of a Resource Server. There is an annotation designed for that purpose: #EnableResourceServer. Your client app then will consume this resource using the handy OAuth2RestTemplate.
There are two approaches to properly configure the Resource Server and get this working:
Have the public key directly in your resource server app: this way when the client app try to use a token provided by the authorization server to get a resource from the Resource Server, this will verify if the token is valid by itself.
Configure the resource server to ask the authorization server if a given access token is valid and depending of the response it will allow or decline to get the resource.
I have posted a sample app on github using the first approach. There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. Hope it helps you.
Currently I am having problem to login my application using Jmeter scripts for SSO login.Shows unauthorized but all my credentials that I provided to login into application are okay.
It was working earlier.
I have already implemented each and everything that require to run Jmeter to my application earlier.
Currently I am stuck at this point.If anyone has idea? If so it would be so nice to have that idea/help.
check if it is NTLM authentication then you need to provide Mechanism as "Basic Digest" and if any domain then mention in Realm as "{domainname}\"
Most probably this is due to irrelevant configuration of the HTTP Authorization Manager
Looking into WWW-Authenticate Negotiate, it seems application you are testing is using NTLM or Kerberos authentication so you need to properly configure JMeter in order to be able to bypass it.
See Windows Authentication with Apache JMeter article for more detailed explanation and example configurations for NTLM and Kerberos.
I currently have a distributed system containing an OpenID Connect server (IdentityServer3) acting as SSO server. The clients using the SSO server are AngularJS SPA:s with WebAPI v2 backends.
I got the basic login flow working, but I need some help with configuring the WebAPI/OWIN pipeline to allow transformation of the received token claims, ie. removing unnessecary claims and adding local claims. I'm assuming I need to create a local JWT instead of using the JWT received from the SSO server.
The question is, what is the best way of doing this? Are there OWIN middlewares that can help with this, or do I need to "manually" generate a new locally signed JWT from the claims received from the SSO server?
Current implementation details:
The AngularJS SPA authenticates against the SSO server using
authorization code flow and receives the authorization code.
The SPA posts the authorization code to the WebAPI.
WebAPI receives the authorization code and requests an AccessToken/JWT from the SSO server using the OAuth2Client class (part of Thinktecture.IdentityModel.Clients). This AccessToken is returned to the SPA to use in any further requests done to the WebAPI.
So my question mostly relates to step 3. How do I best change my current flow to generate a token also containing the local claims?
Also, what kind of authentication middleware should be used with your proposed solution (JwtBearerAuthentication, OpenIdConnectAuthentication or OAuthBearerAuthentication)?
Apoligizes for my probably confused terminology usage, I'm a beginner regarding OAuth and especially the OWIN pipeline. :)
Your WebApi should use BearerTokenAuthentication.
To get access token (access_token) and claims (id_token) in single call you need to set response type as ResponseType="token id_token"
You can checkout various ready to run sample at IdentityServer3 Samples. Specifically checkout implicit flow sample.