Access Token Issue in JMeter

Problem:

How to handle access token issue in JMeter?

How does access token work?

When a secured site is accessed by another site then it requires an access token for validation and further communication purpose. The following chain of events occurs in order to Site A to access User X’s information on Site B.

  1. Site A registers with Site B and obtains a Secret and an ID.
  2. When User X tells Site A to access Site B, User X is sent to Site B where it tells Site B that he would indeed like to give Site A permissions to specific information.
  3. Site B redirects User X back to Site A, along with an Access Code or Token.
  4. Then Site A passes that Access Token along with it’s Secret back to Site B in return for a Security Token.
  5. Site A then makes requests to Site B on behalf of User X by bundling the Security Token along with requests.

Solution:

You can solve Access Token issue in JMeter by following below steps:

  1. While launching Home (Login page) server generates unique code ID and execution ID. These IDs are sent back as a response of first request (homepage URL)
  2. These IDs need to be captured in two separate RegExs.
  3. The next request contains Username, Password, code ID and execution ID. This request is redirected to the authorization server (to get access token).
  4. The redirected request having access token which needs to be captured in another RegEx.
  5. Add a Regular Expression Extractor post-processor in the request referred in point 3. Give a reference name (say accessToken), select “Field to Check” as “URL” or “Response Header” (as per application) and write the regular expression access_token=([\S]+).
  6. Use this access token (generally passes in request header) wherever is required.
    e.g. Authorization: Bearer ${accessToken}.

6 Responses

  1. varun says:

    Hi gagan,
    Can you elaborate this with an example pls?

    • PerfMatrix says:

      Hi Varun,

      Access token generation process takes place at the server end, so I can not show it. If you want to know how the access token looks like then refer to the below example:

      The original request should be like this:
      Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzMWVkZjVhNi1lZDI4LTQ1M2YtYjczZS03Y2FlYzk5ZmI4MDIiLCJleHAiOjE0NzI2NzEzNTksIm5iZiI6MCwiaWF0IjoxNDcyNjE3MzU5LCJpc3MiOiJodHRwOi8vaWRlbnRpdHktcHJvdmlkZXItY2xvdWQtY2F0YWxvZy1xYS5kZW1vLXNhYXMtY2xvdWQub3BlbnNoaWZ0LnNkbnRlc3QubmV0Y3JhY2tlci5jb20vYXV0aC9yZWFsbXMvQ2xvdWQiLCJhdWQiOiJmcm9udGVuZCIsInN1YiI6ImMyNTY0ODNkLWU0N2ItNDExZi04M2VmLTVjZWI2ZWExYjYzNCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImZyb250ZW5kIiwic2Vzc2lvbl9zdGF0ZSI6IjNhNTk1NDM4LWY1YjQtNGNkOS1iMzc5LTEzYjZiMmQxMGNkMCIsImNsaWVudF9zZXNzaW9uIjoiYzgyODU5OTgtYWY2MC00ZWJiLThiMjEtZTMxNzllOTIwYjYzIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJST0xFX1BST0RVQ1QtTUFOQUdFUiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwcm9kdWN0LW1hbmFnZXIiLCJ0ZW5hbnQtaWQiOiJDbG91ZCJ9.e6186y7Ig1IZ88ibQPN267s2hT7nKrQ1nPZ5cDzIMWQ73FJBDCrTuE3BqR9V-rRs7VM8TokEGM6UN1dwKyHRkXfERH_tVmgtWAL-JjXpCvy9Pc-EPYhHgzY6KqLUr6YLd_tvLK2z1eNBCw9bHzdXhZjhbS9x1SiBBRb9tH7In0oLhWVDKBq0fdZcvCB3EnXOze6PgcpATRIua5t1sNbsXgdYFut366eLyiu4q0m3UbywJRL2A0-3_QVAmXibIJO-uTFQZLsbsV1Ox5fNI22NLUS0dblcfV8mt4YjgTALE_xzPvbzKtKQsCRrrZFngOlHe7RTNlc8TzlgDlkArBgcKA

  2. Balkishan Sharma says:

    Auth Cookie Expiry
    Logic to regenerate the cookie every 120 seconds needs to be implemented in the JMeter script in order to avoid failures.

    how can do this in JMeter?

    • PerfMatrix says:

      Hi Balkishan,

      The better option is to capture the dynamic values in each iteration so that you need not to worry about expiration.

  3. Rohan says:

    How to pass Oauth token dynamically in Jmeter. can you please provide steps or blog or video. I need to create load testing with more than 100 user concurrent, so in this case how to pass the token. Please guide me.

    • PerfMatrix says:

      Hi Rohan,

      OAuth token is passed in the header of subsequent requests. You can refer to the last point of this article.

      For detailed information, please refer to the last step of the below article.
      Correlation in JMeter

Leave a Reply

Your email address will not be published. Required fields are marked *