We have implemented an OAuth2 Authorization Server (and Identity Provider).
Now we want to perform load tests to gage system performance.
The concrete problem I have now, is that I want to load test an Authorization Code Flow.
I have been using JMeter so far. But I have no clue how to provide an endpoint for the required redirect_uri, to complete the flow.
Is there any way to do this at all, or am I out of luck? Google was no help.
If JMeter can't do it, is there a tool that can?
Provide whatever redirect_uri parameter you want, i.e. http://localhost:8081/oauth/login and fetch the required parameters from the response Location header using Regular Expression Extractor
Of course the sampler will fail as most probably you don't have anything running on your machine which could serve as a redirect target so either use HTTP Mirror Server to provide a stub or just mark the sampler as successful by adding Response Assertion to it and ticking Main sample and sub-samples and Ignore Status boxes
Related
I'm looking for some advice about authorization for a request I'm making in Power Automate Desktop using the action 'Invoke Web Service'. I'm using this request to get information from Dataverse.
I've currently set up this request using OAuth2.0 with the Grant Type set to Implicit and I've hardcoded a token value into the header. I'm pretty green when it comes to authorization, so I'm just wondering if that's the best way to use OAuth2.0 to get info from Dataverse to PAD? I'm also concerned this token will expire and how to go about handling that. If I should set this up differently please let me know. And if you know how I can refresh the token automatically somehow, advice would be great.
I'm going to make the assumption that you have an Azure instance within your org.
You should be able to execute the entire OAuth flow through PAD given you can do it through Postman ...
https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/use-postman-web-api
... having said that, if you want an easier way, my suggestion would be to use LogicApps as it does all of the hard work for you. It will also protect keys, etc. that run the risk of being exposed if contained within a PAD flow and that's even if your store that sort of information in a KeyVault or something. At some point, it needs to be exposed to PAD.
You can create a LogicApp that's triggered by an incoming HTTP request ...
... and have your DataVerse connector pull the relevant data ...
... to then return back to the calling PAD flow with a response action.
This is an example flow ...
I haven't gone into detail given your question lacks specifics around filtering, etc. but you can always make your LogicApp more comprehensive by adding functionality in the payload to order, filter, expand, etc. on the OData call to DataVerse so you get exactly what you want from a data perspective.
I am trying to build a Custom Connector in the Power Platform to connect to the BMC Helix (formerly Remedy) system to create work orders and such. I am using OAuth2 and was given a callback URL, auth URL, token URL, client ID and client secret.
I went to create a connector from scratch. I populated the fields, but I wasn't sure what to put for the 'Refresh URL', so I used the token URL there too.
I am trying to accomplish testing this connector and my successful test would be to get a JWT from doing a POST to the /api/jwt/login endpoint of BMC Helix. It should return a JWT which I can use to make subsequent calls.
Upon testing this, I go to create a connection, but a window opens (which I believe should be a prompt for authentication), but instead it contains an error saying 'unauthorized_client' coming back from the BMC Helix system at the /rsso/oauth2/authorize endpoint. It also contains a property within the URL of redirect_uri = https://global.consent.azure-apim.net/redirect.
Is there something on the Helix side I need to further configure? Not sure why I am getting this....
It sounds like you need TWO METHODS in your connector. A POST to call the token server, a GET (or another POST) to call the API (using the token received from Call 1).
One approach I've successfully used in the past is:
Use Postman to get your token server call working with OAUTH
Then use Postman to get your subsequent API calls working with the token appended
Save both requests to a single Postman collection
Export the Postman collection (as a V1 (deprecated) if I recall correctly)
Import this collection into PowerApps Custom Connector (create new/import from Postman Collection)
You'll have to massage it a bit after import, but it will give you a good headstart and you're starting from a known-good place (working Postman calls)
Good luck!
I am trying to load test my mobile application using jmeter, I have given authorization token in HTTP header manager and recorded the mobile app operations. But when I run this recorded script and view the result in result tree, all of the operations appear as failed and for some i see 401 un-authorization error. Please help me in solving this problem.
This image shows the result I get after running the recorded
HTTP 401 status code means that you failed to provide correct credentials or token, you need either to login somehow or to pass a "good" token which your system expects.
In the majority of cases you cannot just replay recorded script without prior correlation - the process of extracting dynamic data from the previous response using a suitable Post-Processor, converting it into a JMeter Variable and adding it to the next request.
You can determine which parts of request are dynamic by recording the same actions once again and comparing the scripts. If there will be differences - you will need to handle the corresponding parameters.
Alternative option is using cloud-based proxy service for recording, it can export recorded requests in SmartJMX mode assuming automatic detection and correlation of any dynamic parameters. See How to Cut Your JMeter Scripting Time by 80% article for more information.
What is the purpose of "API token" option in REST API Call Plugin Configuration? Why it is compulsory?
On screenshots below it was set to "rest" but never used afterwards. Any examples?
https://thingsboard.io/docs/reference/plugins/rest/
The purpose of the API token is to reserve certain path in the REST and Websocket API to particular plugin.
So, all requests that match certain URL filter:
http(s)://host:port/api/plugins/$API_TOKEN/
Will be dispatched to the plugin implementation after security check.
Plugin can apply additional checks if required.
Using Jmeter GUI, I recorded a test scenario (placing an order) and the script ran successfully. But when I replay the test scripts it doesn't function as it was recorded to do, it did not make an order.
After query the dev, found that with each item selected, the server generate a CSRF token, and put the token in the URL path (Like: /cart/add/type/product_id/7245985/_csrf_token/b46c0aec2e5891808ec42141b1956943204ae8f8) when the item is added to the shopping cart. This is all recorded in the script. This path with the token is used to add the item to cart.
My question is how to test this dynamic token when it is concatenated in the path of URL?
Any help are appreciated.
If you have not already added Tree View Listener to your Test Plan, then add it now. You can use it to view the details of requests & responses. JMeter considers a request successful if it gets "some" response from Server-side. It does not matter if the response is functionally valid or not. So, in order to make sure that JMeter is sending valid parameters and receiving expected response, you will have to check the details of requests / responses in Tree view listener.
You can also add Response Assertions to requests so JMeter itself verifies that it is getting expected responses.
Important Tips:
Use TreeView Listener for debugging only. In real load test keep it disabled as it consumes lot of memory.
Do not use response assertions excessively as they consume lot of memory as well.
JMeter is not a browser-based tool. It just deals with back-end requests. Hence it is expected to be very fast. So nothing wrong with that. You should remove un-necessary timers as there is nothing wrong with it being fast.
If your requests involve some kind of login authorization then have a look at this question for further details Load testing using jmeter with basic authentication
Recording doesn't guarantee working script, it gives you only a "skeleton" and usually you need to perform some correlation (the process of extracting mandatory dynamic parameter from previous response and adding it to the next request).
Reference material:
Building a Web Test Plan
Building an Advanced Web Test Plan
How to use JMeter for Login Authentication?
How to make JMeter behave more like a real browser