Could anyone please help to test the login / authentication with the following scenario?
User access the site "sitaA.com" home page. In that page, there is a button "login with oauth".
Upon clicking the "login with oauth" button, "siteA.com" redirects to "siteB.com" in which the user is able to key in username and passowrd and sign in. It authenticates (oauth) the user and returns back to "siteA.com".
siteA.com will send the client id and call back url when redirects to siteB.com.
How to achieve this using JMeter?
Thanks in advance
OAuth is a basically a way of getting a token. If you're load-testing OAuth-enabled application you need to do the following:
Request temporary access token
Authorize access token
Change temporary access token to something permanent
You can do steps above manually, capture permanent access token via sniffer and add it to your requests as a separate HTTP Request parameter. If you have limited number of user logins to reuse in test it may do the trick for you.
However if you need to test end-to-end flow which assumes obtaining token process via JMeter you need to consider OAuth Sampler Plugin
So basically you need to do one of the following:
Manual 3-stepped OAuth login and capture token process followed by adding token as a parameter of HTTP Requests for each virtual user
Automated OAuth login process by means of JMeter OAuth sampler
If you have limited number of logins/users option 1 may be better
P.S. There is also an option for advanced JMeter users and/or Java developers to add OAuth java client libraries to JMeter lib/ext folder and use Beanshell Samplers to authenticate with OAuth. It's also likely that you'll have to use Selenium with JMeterto navigate to OAuth callback page and confirm authorized login from there.
Related
I am facing one problem that i am unable to login to the liferay website using JMeter.
The problem i know already but don't know how to hanmdle it.
I get to know that "p_auth" token is requried to access the sub pages, but here i am facing an issue in which i don't even able to acccess the login page itself if run the script second time.
My concerns:
how to check "p_auth" token parameter for login page (i.e without login)
Please help me to solve the problem.
Note: i tried to extract the "p_auth" token , but i am unable to see any "p_auth" token for login page itself(i.e without login.. just a login page(get api))
Your test plan need to look like:
Open Login Page - HTTP GET request
Extract p_auth dynamic parameter value using a suitable JMeter Post-Processor
Perform the login - HTTP POST request where you need to provide your credentials and the p_auth token value from the previous request
You won't be able to "see" the token in the page, it's hidden in the page source so you will need to use browser developer tools or JMeter's View Results Tree listener in order to "see" the token value.
Also don't forget to add HTTP Cookie Manager to your test plan as missing CSRF token is not the only thing which can stop you from logging in.
We have an application and it's having okta authentication . So after we enter our credentials, an OTP is being sent to our gmail address and we have to give that OTP to login. How to record these steps in JMeter, or how to do the performance test of these kind of applications?
You can get the email sent to Gmail account via JMeter's Mail Reader Sampler, the setup would be something like:
Once done you can fetch the OTP from the email body using a suitable Post-Processor like Regular Expression Extractor or Boundary Extractor
More information: Load Testing Your Email Server: How to Send and Receive E-mails with JMeter
You may also need to enable access of less secure apps to your google mail account
Actually, when I debugged the application and checked the console, I found that the OTP UI is just a wrapper above a token service. So what I did was to replace the okta authentication samplers from the recording by that token service. I kept all the remaining samplers intact. And extracted that token from token service and passed it on to the header manager of the remaining samplers. This was accepted by our team too. But if we really have to do a performance test on the okta authentication, still we can ask the dev to create an OTP that wouldn't expire in another 24 hours or so, so that we can use that and load test the authentication samplers too.
URL I am hitting for sign in is
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=314687257509-dfk13dhtelq4o1ti0li7af1akie3ieqm.apps.googleusercontent.com&as=H_7I4EsREAQ2c6c8EejwOw&destination=http%3A%2F%2Fmetacampus-in.appspot.com&approval_state=!ChRUMEJ4bVhFcm5Sb0JxaHgwb1F3bBIfOC1uZGhOTGc1bmdSOEhuU1JuY2dubXJlQXdHdVRCWQ%E2%88%99ANKMe1QAAAAAW1gSB4OWT70lnDr525s7wW0mFo0q0uZ6&oauthgdpr=1&xsrfsig=AHgIfE_kc7fWgnNfGE6nCQu1hzZAma2qcQ&flowName=GeneralOAuthFlow
In order to be able to proceed you need to add a proper Authorization Bearer token via HTTP Header Manager.
There are several ways to obtain the token:
Perform login via real web browser using i.e. WebDriver Sampler and extract the token value from the browser
Obtain the token from the developer console
Use Google OAuth Client Library from JSR223 Sampler to perform programmatic OAuth login.
See How to Run Performance Tests on OAuth Secured Apps with JMeter article for more information on each of the approaches.
My project has the requirement to access the yammer data using the given REST API using server side script(mainly PHP) and not involve a client side login using yammer's OAuth dialog.
I have gone through this document:
https://developer.yammer.com/docs/oauth-2
but this says, we requires user interaction.
What I wanted was can I generate a client_id and client_Secret to further generate access token to make API call out, but in all these processes I only use the authenticated users username and password in my server-side script.
Can anyone suggest a solution or is a client-side interaction required by design?
Thanks in advance!!
You have to have a user authorize the application at least once. This is just the nature of the OAuth implementation and you can't work around it. Having users go through the OAuth flow is considered a best practice.
If you have an OAuth token for a verified admin of Yammer, you can use impersonation to get tokens for end users without them interacting with the OAuth flow.
The below from Microsoft blogs might help you & added source at the end of answer.
Obtain a Verified Admin token for your application in one of the following 2 ways
a. Create the app with a Verified Admin account and then in the app’s Basic Info page, click “Generate a developer token for this application.” Note that you’ll need to use this app’s info in the JS SDK and any subsequent calls.
b. Use the process outlined at https://developer.yammer.com/docs/test-token with a Verified Admin account to get an OAuth token for that VA account. Note that you must use the app info used to generate this token in all future steps.
Obtain the current user’s email address in the server-side script.
Using the VA token obtained in step 1 to authenticate, pass the user’s email address to our Get User by Email Address endpoint documented at https://developer.yammer.com/docs/usersby_emailjsonemailuserdomaincom, and then process the response
a. If the call to the API endpoint returns a 200 OK response, first check the “state” field to make sure the user is “active” and if so, store the “id” field that’s returned and go to step 4
b. If the call returns a 404 or a state other than “active,” direct the user to finish creating and activating their account however you like.
Once you have the user’s ID, you can pass it to our Impersonation endpoint to obtain a pre-authorized OAuth token for that user. This endpoint is documented at https://developer.yammer.com/docs/impersonation and must use the VA token obtained in step 1 to authorize the call, and the consumer_key of your JS SDK app.
You now have an OAuth token for the current user. When generating the code being passed to the browser, have the client side JS SDK code first call yam.platform.getLoginStatus and if there’s no active session and you have a token from step 4, pass that token to yam.platform.setAuthToken($tokenFromStep4, optional_callback_function_if_desired(response)). If you don’t have a valid token, direct the user to finish setting up their Yammer account.
Continue making JS SDK calls as you normally would, without needing the user to authenticate.
Source: https://blogs.technet.microsoft.com/askyammer/2016/11/04/preauthorizing-the-yammer-js-sdk/
I wanna create a test in JMeter for an web app that use google auth as a login.
So basically user sees the app login button on login page, clicks it --> navigates to google login page where he should set an email, a password, and click Sign In button.
I have stucked on "Sign In" step that is the following post request:
https://accounts.google.com/ServiceLoginAuth
all parameters are easy to extract except for "bgresponse".
when user navigates to google sign in page, bgresponse value = js_disabled that is not default and cannot be used for the post request.
it is set with a real value when user hits Sign in button.
thus, I can't extract the correct bgresponse value value as a post processor of the request that leads to google sign in page.
Any ideas how can I sign in to google via JMeter?
Please help.
TIA
Anna
Google supports oauth 2.0
https://developers.google.com/accounts/
so I think you can expand your question to JMeter and oauth 2.0
Here are a few resources:
https://malalanayake.wordpress.com/tag/oauth-2-0/
how to config apache jmeter 2.6 oauth 2.0
I think than you can use WebDriver Sampler available via plugin (you'll need WebDriver Set). This extension allows Selenium tests to be executed from JMeter and you can launch a real browser to perform Google authentication and obtain permanent OAuth token from callback page.
You won't be able to do any performance testing with the WebDriver Sampler (don't attempt to use it with more than 1 thread), but it'll be quite enough for successful OAuth 3-step process.