{"id":2291,"date":"2022-01-03T08:29:45","date_gmt":"2022-01-03T08:29:45","guid":{"rendered":"https:\/\/loadfocus.com\/blog\/?p=2291"},"modified":"2024-06-20T11:00:28","modified_gmt":"2024-06-20T11:00:28","slug":"how-to-test-oauth-secured-apis-apps-using-jmeter","status":"publish","type":"post","link":"https:\/\/loadfocus.com\/blog\/2022\/01\/how-to-test-oauth-secured-apis-apps-using-jmeter","title":{"rendered":"How to Test OAuth Secured APIs and Apps using JMeter"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes read<\/span><\/span>\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-thumbnail\"><img loading=\"lazy\" width=\"378\" height=\"400\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow-378x400.png\" alt=\"\" class=\"wp-image-2294\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow-378x400.png 378w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow-567x600.png 567w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow-967x1024.png 967w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow-768x813.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/oauth_2_0_flow.png 992w\" sizes=\"(max-width: 378px) 100vw, 378px\" \/><figcaption>Performance Testing of OAuth 2.0 Secured APIs using JMeter<\/figcaption><\/figure><\/div>\n\n\n\n<h3>Introduction<\/h3>\n\n\n\n<p class=\"lead\">Hey there! If you&#8217;re working with APIs, especially those locked down with OAuth 2.0, you probably know how crucial it is to ensure they perform well under pressure. Imagine thousands of users hitting your API simultaneously \u2013 you want everything running smoothly, right? Well, that&#8217;s where load testing comes in, and today we&#8217;re diving into how you can do this using JMeter.<\/p>\n\n\n\n<h3>Why Load Testing OAuth Secured APIs Matters<\/h3>\n\n\n\n<p>First off, let&#8217;s talk about why this is important. Load testing helps you:<\/p>\n\n\n\n<ul><li><strong>Ensure Performance<\/strong>: Your API should handle high traffic without breaking a sweat.<\/li><li><strong>Validate Security<\/strong>: Make sure your OAuth security holds up under heavy use.<\/li><li><strong>Optimize User Experience<\/strong>: Identify and fix any performance hiccups to keep your users happy.<\/li><\/ul>\n\n\n\n<h3>Getting Started with LoadFocus<\/h3>\n\n\n\n<p>At LoadFocus, we\u2019ve made it super easy to run your custom JMeter scripts from the cloud. Whether your API is secured or not, you can simulate thousands of users from various locations worldwide. Here\u2019s how you can set up load tests for OAuth 2.0 secured APIs.<\/p>\n\n\n\n<h3>Step-by-Step Guide<\/h3>\n\n\n\n<h4>Step 1: Create an HTTP Request to Get the OAuth Token<\/h4>\n\n\n\n<p>First, you need an HTTP request in JMeter to fetch the OAuth token. This step is crucial because you\u2019ll use this token to access your secured API endpoints. <\/p>\n\n\n\n<p>Make sure you add all items in order, check more details on <a href=\"https:\/\/loadfocus.com\/blog\/2020\/12\/which-is-the-execution-order-of-elements-in-apache-jmeter\/\">order of execution in JMeter<\/a>.<\/p>\n\n\n\n<p>Here\u2019s what you need:<\/p>\n\n\n\n<ul><li><strong>Client ID<\/strong><\/li><li><strong>Client Secret<\/strong><\/li><li><strong>Grant Type<\/strong><\/li><\/ul>\n\n\n\n<p>Here&#8217;s a quick example:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-1280x800.png\" alt=\"\" class=\"wp-image-2469\" width=\"640\" height=\"400\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-1280x800.png 1280w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-800x500.png 800w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-600x375.png 600w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-768x480.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2-1536x960.png 1536w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_toke_api_call-2048x1280-2.png 2048w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><figcaption>HTTP Request to Get the OAuth Token in JMeter<\/figcaption><\/figure><\/div>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>POST \/oauth\/token HTTP\/1.1\nHost: your-auth-server.com\nContent-Type: application\/x-www-form-urlencoded\n\nclient_id=your_client_id&amp;client_secret=your_client_secret&amp;grant_type=client_credentials<\/code><\/pre>\n\n\n\n<p>This request should only run once before your actual load testing starts. It fetches the token you&#8217;ll need for the secured API calls.<\/p>\n\n\n\n<h4>Step 2: Extract the Token Using JSON Extractor<\/h4>\n\n\n\n<p>Once you have the token, you need to extract it from the response. This is where the JSON Extractor comes in handy. Add a JSON Extractor to your JMeter test plan:<\/p>\n\n\n\n<ol><li><strong>Add JSON Extractor<\/strong>: Right-click on the HTTP Request sampler and select <code>Add &gt; Post Processors &gt; JSON Extractor<\/code>.<\/li><li><strong>Configure JSON Extractor<\/strong>: Set the JSON path to match the structure of your response. For example, if your token is returned as <code>{\"access_token\":\"your_token\"}<\/code>, set the JSON path as <code>$.access_token<\/code>.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-1280x797.png\" alt=\"\" class=\"wp-image-2326\" width=\"672\" height=\"418\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-1280x797.png 1280w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-800x498.png 800w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-600x373.png 600w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-768x478.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-1536x956.png 1536w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_json_extractor-2048x1274.png 2048w\" sizes=\"(max-width: 672px) 100vw, 672px\" \/><figcaption><strong>JSON extractor<\/strong> in Apache JMeter<\/figcaption><\/figure>\n\n\n\n<h4>Step 3: Set the Token as a JMeter Property<\/h4>\n\n\n\n<p>Now that you have the token, you need to make it available throughout your test plan. Use a BeanShell PostProcessor to set the token as a JMeter property:<\/p>\n\n\n\n<ol><li><strong>Add BeanShell PostProcessor<\/strong>: Right-click on the HTTP Request sampler and select <code>Add > Post Processors > BeanShell PostProcessor<\/code>.<\/li><li><strong>Script to Set Property<\/strong>: <code>String token = vars.get(\"access_token\"); props.put(\"authToken\", token);<\/code><\/li><\/ol>\n\n\n\n<p>This script takes the extracted token and sets it as a property named <code>authToken<\/code>, which you can use in other parts of your test.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-1280x800.png\" alt=\"\" class=\"wp-image-2328\" width=\"705\" height=\"440\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-1280x800.png 1280w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-800x500.png 800w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-600x375.png 600w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-768x480.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-1536x960.png 1536w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_token_bean_post_processor-2048x1279.png 2048w\" sizes=\"(max-width: 705px) 100vw, 705px\" \/><figcaption><strong>BeanShell PostProcessor<\/strong> for Auth Token<\/figcaption><\/figure><\/div>\n\n\n\n<h4>Step 4: Create a New Thread Group for the Load Test<\/h4>\n\n\n\n<p>With the token set up, it\u2019s time to configure the load test. Create a new Thread Group that will handle the actual load testing of your secured API.<\/p>\n\n\n\n<ol><li><strong>Add New Thread Group<\/strong>: Right-click on Test Plan and select <code>Add &gt; Threads (Users) &gt; Thread Group<\/code>.<\/li><li><strong>Configure Thread Group<\/strong>: Set the number of threads (users), ramp-up period, and loop count as per your load testing needs.<\/li><\/ol>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-1280x798.png\" alt=\"\" class=\"wp-image-2331\" width=\"694\" height=\"432\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-1280x798.png 1280w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-800x499.png 800w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-600x374.png 600w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-768x479.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-1536x958.png 1536w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call_http_header_manager-1-2048x1278.png 2048w\" sizes=\"(max-width: 694px) 100vw, 694px\" \/><figcaption><strong>Thread Group<\/strong> for Load Test using the Auth Token<\/figcaption><\/figure><\/div>\n\n\n\n<h4>Step 5: Add a Header Manager to Include the OAuth Token<\/h4>\n\n\n\n<p>You need to pass the OAuth token in the header for every API request. Add a Header Manager to your Thread Group:<\/p>\n\n\n\n<ol><li><strong>Add Header Manager<\/strong>: Right-click on the Thread Group and select <code>Add &gt; Config Element &gt; HTTP Header Manager<\/code>.<\/li><li><strong>Configure Header Manager<\/strong>: Add a new header with the name <code>Authorization<\/code> and value <code>Bearer ${__property(authToken)}<\/code>.<\/li><\/ol>\n\n\n\n<h4>Step 6: Add HTTP Request Sampler for the Secured API<\/h4>\n\n\n\n<p>Finally, add an HTTP Request sampler to perform the actual API requests:<\/p>\n\n\n\n<ol><li><strong>Add \u2248<\/strong>: Right-click on the Thread Group and select <code>Add &gt; Sampler &gt; HTTP Request<\/code>.<\/li><li><strong>Configure HTTP Request<\/strong>: Set the method, URL, and other parameters for your secured API endpoint.<\/li><\/ol>\n\n\n\n<p>Here&#8217;s an example of how the HTTP Request might look:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-1280x800.png\" alt=\"\" class=\"wp-image-2329\" width=\"640\" height=\"400\" srcset=\"https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-1280x800.png 1280w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-800x500.png 800w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-600x375.png 600w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-768x480.png 768w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-1536x960.png 1536w, https:\/\/loadfocus.com\/blog\/wp-content\/uploads\/get_users_api_call-2048x1280.png 2048w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><figcaption>New HTTP Request to Get the OAuth Token for Load Test<\/figcaption><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>GET \/your-secured-endpoint HTTP\/1.1\nHost: your-api-server.com\nAuthorization: Bearer ${__property(authToken)}\n<\/code><\/pre>\n\n\n\n<h3>Conclusion<\/h3>\n\n\n\n<p>Using this setup, you can effectively load test APIs secured with OAuth 2.0. By following these steps, you ensure your API can handle real-world traffic, all while maintaining top-notch security and performance. Plus, with LoadFocus, you can run these tests effortlessly from the cloud, scaling up to thousands of users from various locations.<\/p>\n\n\n\n<p>Whether you&#8217;re a business owner, a software engineer, or someone working in DevOps, mastering load testing for OAuth secured APIs ensures your application is robust, secure, and ready for anything. Happy testing!<\/p>\n\n\n\n<h3>A Note About LoadFocus<\/h3>\n\n\n\n<p>At LoadFocus, we\u2019re committed to making performance testing as easy and efficient as possible. Our platform allows you to run comprehensive load tests from the cloud, ensuring your website or application can handle high traffic and perform optimally under stress. Try LoadFocus today and see how effortless performance testing can be!<\/p>\n\n\n\n<p><em>Written by&nbsp;Chris L.<\/em><\/p>\n\n\n\n<p><em><a href=\"https:\/\/loadfocus.com\/\">LoadFocus<\/a>&nbsp;is a cloud testing platform,&nbsp;a&nbsp;<a href=\"https:\/\/loadfocus.com\/load-testing\" target=\"_blank\" rel=\"noreferrer noopener\">load and stress testing tool<\/a>&nbsp;which provides the infrastructure to run tests with thousands of concurrent users, from&nbsp;<a href=\"https:\/\/loadfocus.com\/locations\">multiple cloud locations<\/a>, in less than a few minutes, keep history of the results, compare different runs to inspect performance improvements or performance degradation.<\/em>&nbsp;<em>It also supports running&nbsp;<a href=\"https:\/\/loadfocus.com\/jmeter-load-testing\" target=\"_blank\" rel=\"noreferrer noopener\">JMeter load tests from the cloud<\/a><\/em>&nbsp;and&nbsp;<a href=\"https:\/\/loadfocus.com\/page-speed-monitoring\">monitoring and audit web and mobile performance<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes read<\/span><\/span>Introduction Hey there! If you&#8217;re working with APIs, especially those locked down with OAuth 2.0, you probably know how crucial it is to ensure they perform well under pressure. Imagine thousands of users hitting your API simultaneously \u2013 you want everything running smoothly, right? Well, that&#8217;s where load testing comes in, and today we&#8217;re diving&#8230;  <a href=\"https:\/\/loadfocus.com\/blog\/2022\/01\/how-to-test-oauth-secured-apis-apps-using-jmeter\" class=\"more-link\" title=\"Read How to Test OAuth Secured APIs and Apps using JMeter\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":2348,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,337,9,6,100,379,48],"tags":[377,378,376],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/posts\/2291"}],"collection":[{"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/comments?post=2291"}],"version-history":[{"count":3,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/posts\/2291\/revisions"}],"predecessor-version":[{"id":3020,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/posts\/2291\/revisions\/3020"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/media\/2348"}],"wp:attachment":[{"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/media?parent=2291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/categories?post=2291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/loadfocus.com\/blog\/wp-json\/wp\/v2\/tags?post=2291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}