Access Token Issue in JMeter


How to handle access token issues in JMeter?

How does an access token work?

When a secured site is accessed by another site then it requires an access token for validation and further communication purpose. The following chain of events occurs in order to Site A to access User X’s information on Site B.

  1. Site A registers with Site B and obtains a Secret and an ID.
  2. When User X tells Site A to access Site B, User X is sent to Site B where it tells Site B that he would indeed like to give Site A permissions to specific information.
  3. Site B redirects User X back to Site A, along with an Access Code or Token.
  4. Then Site A passes that Access Token along with it’s Secret back to Site B in return for a Security Token.
  5. Site A then makes requests to Site B on behalf of User X by bundling the Security Token along with requests.


You can solve the Access Token issue in JMeter by following below steps:

  1. While launching the Home (Login page) the server generates a unique code ID and execution ID. These IDs are sent back as a response to the first request (homepage URL)
  2. These IDs need to be captured in two separate RegExs.
  3. The next request contains Username, Password, code ID and execution ID. This request is redirected to the authorization server (to get an access token).
  4. The redirected request has an access token which needs to be captured in another RegEx.
  5. Add a Regular Expression Extractor post-processor in the request referred to in point 3. Give a reference name (say accessToken), select “Field to Check” as “URL” or “Response Header” (as per application) and write the regular expression access_token=([\S]+).
  6. Use this access token (generally passes in the request header) wherever is required.
    e.g. Authorization: Bearer ${accessToken}.

You may be interested:

8 thoughts on “Access Token Issue in JMeter”

  1. Hi Varun,

    Access token generation process takes place at the server end, so I can not show it. If you want to know how the access token looks like then refer to the below example:

    The original request should be like this:
    Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzMWVkZjVhNi1lZDI4LTQ1M2YtYjczZS03Y2FlYzk5ZmI4MDIiLCJleHAiOjE0NzI2NzEzNTksIm5iZiI6MCwiaWF0IjoxNDcyNjE3MzU5LCJpc3MiOiJodHRwOi8vaWRlbnRpdHktcHJvdmlkZXItY2xvdWQtY2F0YWxvZy1xYS5kZW1vLXNhYXMtY2xvdWQub3BlbnNoaWZ0LnNkbnRlc3QubmV0Y3JhY2tlci5jb20vYXV0aC9yZWFsbXMvQ2xvdWQiLCJhdWQiOiJmcm9udGVuZCIsInN1YiI6ImMyNTY0ODNkLWU0N2ItNDExZi04M2VmLTVjZWI2ZWExYjYzNCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImZyb250ZW5kIiwic2Vzc2lvbl9zdGF0ZSI6IjNhNTk1NDM4LWY1YjQtNGNkOS1iMzc5LTEzYjZiMmQxMGNkMCIsImNsaWVudF9zZXNzaW9uIjoiYzgyODU5OTgtYWY2MC00ZWJiLThiMjEtZTMxNzllOTIwYjYzIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJST0xFX1BST0RVQ1QtTUFOQUdFUiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwcm9kdWN0LW1hbmFnZXIiLCJ0ZW5hbnQtaWQiOiJDbG91ZCJ9.e6186y7Ig1IZ88ibQPN267s2hT7nKrQ1nPZ5cDzIMWQ73FJBDCrTuE3BqR9V-rRs7VM8TokEGM6UN1dwKyHRkXfERH_tVmgtWAL-JjXpCvy9Pc-EPYhHgzY6KqLUr6YLd_tvLK2z1eNBCw9bHzdXhZjhbS9x1SiBBRb9tH7In0oLhWVDKBq0fdZcvCB3EnXOze6PgcpATRIua5t1sNbsXgdYFut366eLyiu4q0m3UbywJRL2A0-3_QVAmXibIJO-uTFQZLsbsV1Ox5fNI22NLUS0dblcfV8mt4YjgTALE_xzPvbzKtKQsCRrrZFngOlHe7RTNlc8TzlgDlkArBgcKA

  2. Auth Cookie Expiry
    Logic to regenerate the cookie every 120 seconds needs to be implemented in the JMeter script in order to avoid failures.

    how can do this in JMeter?

  3. Hi Balkishan,

    The better option is to capture the dynamic values in each iteration so that you need not to worry about expiration.

  4. How to pass Oauth token dynamically in Jmeter. can you please provide steps or blog or video. I need to create load testing with more than 100 user concurrent, so in this case how to pass the token. Please guide me.

  5. Hi Rohan,

    OAuth token is passed in the header of subsequent requests. You can refer to the last point of this article.

    For detailed information, please refer to the last step of the below article.
    Correlation in JMeter

  6. Hi,
    Considering Rohan’s example of 100 concurrency.
    The actual named users created are 10 and plan to test with the concurrency of 100 for 30 min. as per test plan, users will login and log off at each iteration.
    What is happening- After around 15 iteration, server responses with 401, unauthorize. If we keep concurrency to 10 for 10 named users, test run successfully. increasing the concurrency results in failing the test.

Comments are closed.