I need to test HTTPS requests with OAuth 1.0 as the authentication method. I tried using the deprecated plugins with older versions, and the Blazemeter script for the same, but neither of them work. I just need to pass the Consumer Key and Secret and sign the HTTPS request with OAuth 1.0 using Jmeter. Can anyone help here please?
JMeter has never supported OAuth per se, so I would recommend using JSR223 PreProcessor in order to sign your request.
Check out How to Run Performance Tests on OAuth Secured Apps with JMeter article which has an example of bypassing OAuth 1.0 challenge using Groovy scripting and oauth-signpost library.
The approach is not guaranteed to work for all OAuth implementations as there could be many encryption options so you may need to modify the code according to your infrastructure.
I am trying to setup API calls for performance testing using Jmeter 3.0
As a prerequisite i need to create OAuth 2.0 token for authentication purposes.
So I am trying to setup the token generation mechanism in Jmeter itself.
Jmeter has OAuth sampler but it doesn't state whether it uses OAuth 2.0 or HMAC SHA256 algorithm .
Question is what is the best process for generating the token?
I have browsed Blazemeter blog but it talks about making use of Google API for generating the HMAC key.
How does one validate an OAuth 2.0 access token obtained from a WSO2 Identity Server?
More specifically, I am looking for a lightweight alternative that:
does not involve direct or indirect SOAP requests (such as using stubs to call an admin service).
has a small set of dependencies (in software libraries and/or required other middleware components).
I'm writing a VBA client which needs to post to GitHub. I'd prefer to use Oauth2 for authentication to keep it in line with implementations in other languages.
When specifying the redirect_uri some oauth2 providers allow you to specify an out of band uri .. specifically
urn:ietf:wg:oauth:2.0:oob
Since the VBA app is not web based, I can't specify a real redirect_uri. Does anyone know whether the GitHub API can support some form of out of band OAUTH2 authentication like this, and if so, how to specify it in the GitHub Application console.
i have several questions...
Does yahoo and microsoft api support
oAuth 2.0?
If yes then what are the main
security measures those should be
taken care of while shifting from
oAuth 1.0 to oAuth 2.0.
Google API supports oAuth 2.0. But
they have still marked it as an
experimental. Is it good to start
shifting even though it is
experimental?
I see while registering an
application on google (for oAuth
2.0), they ask for callback url. If a single application uses a
condition dependent callback url
such as -
if($myVar == NULL) $callbackUrl = 'http://www.mydomain.com/test.php?m=f¶ms=null'
else $callbackUrl = 'http://www.mydomain.com/test.php?m=x¶ms=1'
How can i implement above when the callback url is already specified? The above conditional mainly handles fallback model of an application or if browser supports java then java based model of an application. Kindly suggest
May i know how many of email
providing websites and social
networks supports oAuth 2.0?
Yahoo does not support OAuth2 yet, only Oauth 1.
Microsoft does support OAuth2. http://msdn.microsoft.com/en-us/library/hh243647.aspx
Oauth 2 is simpler since it uses SSL (HTTPS) to provide transport security, so the signatures and token-secrets are not needed. When you switch you will need to re-implement your OAuth flow. I can't think of any specific security measures specifically applicable to upgrading from OAuth1 to OAuth2, but the spec details some security considerations in section 10 (The parts applicable to clients are 10.3, 10.4, 10.5, 10.6, 10.8 and 10.9).
The OAuth2 specification is still not finalized, and may change. You could begin to implement your OAuth2 flow with Google, but bear in mind that it is possible that names or requirements of parameters, endpoints etc. could change and your application will break / you will need to make changes in future. [Experimental Features] could change (or even be removed) at any time. It is probably a bad idea to use experimental (or beta) software in a critical production environment.
Also, not all Google services support OAuth2 at the moment. eg. If you want to use OAuth for IMAP access to Gmail you will have to use OAuth1 for now.
In the API Console, you can specify multiple callback URLs for your OAuth2 application, one per line. An alternative would be to store your 'm' and 'params' parameters in a browser session / cookie and do the redirect to the correct page once authorization is complete.
Support (some revision of) OAuth2: Facebook, Microsoft/Live, Google (with exceptions described above), Foursquare, GitHub, Gowalla, GeoLoqi, Salesforce.
Support OAuth1 Only: Yahoo, Flickr, Twitter.
Source.