3 minutes read
Performance Testing of OAuth 2.0 Secured APIs using JMeter

Running performance tests for API endpoints that are protected / secured using OAuth 2.0

Here at LoadFocus we provide an easy way of running your custom JMeter scripts from the cloud from various locations and with more than 20.000 users in parallel against non-secured and secured APIs.

We’ve added an easy way to run load tests and Apache JMeter load tests using OAuth 2.0 directly from the UI, check here for more details.

For running load/performance tests against OAuth 2.0 secured APIs we will need to use the configuration described below.

Make sure you add all items in order, check more details on order of execution in JMeter.

  • Create HTTP request that will make the request for retrieving the OAuth token
    • the important part is to make this request only once before load testing the secured API endpoints;
    • for the request we will need to have the following information:
      • client id
      • client secret
      • grant type

  • Add a JSON extractor (there is another option of using a Regular Expression Extractor but will not cover that in this article) that will retrieve the token and set is as a JMeter b
    • change the JSON path expression to match the json returned by your login/identity API
    • the name of the variable can be left as it is (if changed this needs to match the name in the BeanShell PostProcessor below)
JSON extractor
  • Next we will add a BeanShell PostProcessor
    • that will take the variable from the JSON extractor and set it as a JMeter property
    • by doing it this way we can access the property in the the call to our secured API that can still live inside a different Thread Group
BeanShell PostProcessor
  • Next we will add a new Thread Group that will contain our actual load/performance test against our secured API
    • In the thread group we will add a Header Manager that will use the token from the first Thread Group to as a header
    • We will also add our call to the secured API as in the images below
Thread Group for Load Test
New HTTP Request for for Load Test

Using the above configuration for your JMeter scripts you can easily test APIs that are secured using OAuth 2.0.


This is how you can test OAuth 2.0 secured APIs using JMeter, hope this helps.

Written by Chris L.

LoadFocus is a cloud testing platform, a load and stress testing tool which provides the infrastructure to run tests with thousands of concurrent users, from multiple cloud locations, in less than a few minutes, keep history of the results, compare different runs to inspect performance improvements or performance degradation. It also supports running JMeter load tests from the cloud and monitoring and audit web and mobile performance.

How fast is your website? Free Website Speed Test