I need to test integration with 3rd party using OAuth 1.0.
I didn't found any working solution except OAuthSampler which mark as deprecated and it states:
Does not work with JMeter v3.2+.
In JMeter 3.1 Plugin Manager it's marked as deprecated,
Can I still use it in JMeter 3.1 and how? Is there a working solution for sending OAuth 1.0 requests?
Is the main problem of plugin is the use of deprecated Base64Encoder?
OAuth has too many faces therefore I doubt the plugin has ever worked. The best way is reaching out to your application developers, if you will be lucky enough you will get a relevant OAuth client library and code snipped which will be producing the required token. If not - you will at least have Consumer Key and Consumer Secret which you can use for building up the proper OAuth login sequence and the necessary signature method (as OAuth requests can be signed using different algorithms)
See How to Run Performance Tests on OAuth Secured Apps with JMeter for more detailed explanation, approaches to bypass OAuth login challenges and code snippets.
Yes, you can use it in JMeter 3.1. The reason many plug-ins do not work with JMeter 3.2 are outlined in Incompatible changes section. Most important reasons are
Logging changes - this is the most popular reason for plug-ins to break. And looking at OAuthSampler, it seems the likely reason for this plug-in as well.
Java 8 version requirement. Could be a problem for some libs.
It's also not too hard to convert sampler to be 3.2 friendly (remove logging completely, or change it to use new standard methods), so you could do that from OAuthSampler source code. You can also use script solution described here
Related
Does Adobe Experience Manager support OAuth 2.0 as a client? I mean AEM connecting with an external application which plays a role of authorization server and resource provider.
I could not find any examples of such usage - AEM is usually presented as an authorization server and resource provider for other client applications.
AEM provides an number of authorization integrations. Maybe you can switch to SAML, which works pretty good out-of-the-box. I once integrated AEM with Keycloak with good results (but using SAML).
Regarding OAuth most documentation is dominated by AEM as an OAuth provider. They integrated Apache Oltu (which is end-of-life anyway).
But AEM provides an OAuth client as well. But it needs a custom extension for each provider. Out-of-the-box are only implementations for Twitter and Facebook available. But there seems also Github and IMS (Identity Management from Adobe Managed Services) to be available.
Please check also Package Share. But I don't know what is available there. And you probably need support from Adobe, to judge the quality and usefulness of such packages.
If you have to implement your own Provider-Extension, the best starting point I found was here:
https://aemcorner.com/adobe-granite-oauth-authentication-handler/
You are basically free to build whatever you want, as AEM is basically nothing else but a Java application. But you might want to keep in mind, that the standard applications of AEM are delivering rendered HTML from the dispatcher in the end. You want to have as little load on the publishers as possible.
So, when authorisation of resources is a technical- or business concern, you might need to dive deeper into SPAs or at least async loading of resources as JSON.
I have two set of RestAPIs used for same application developed on two different frameworks.
One on SpringBoot secured using OAuth 2. Second set of APIs developed on Jooby microframework of RestAPIs.
Since the services on Jooby are not secure how can i do that? So that both set of APIs are secured.
The Login is working in conjunction with SpringBoot App and OAuth 2.0 and same user credentials should be used for jooby apis as well. Does it make sense to put some sort of gateway common for both the set of apis?
Well, security is a broad topic and frameworks implement security guidelines and support when becoming mature. Even I don't have any prior experiences with Jooby, after referring their documents I found a couple of support libraries and extensions.
Moreover, you can follow this great Github repo as a checklist and implement what relevant to your context.
If you can provide more implementation details about your login, I can give a more specific answer. But it seems common gateway isn't really necessary and you can use authentication credentials such as tokens directly with your Jooby API's as well. See pac4j which is listed under Jooby documents.
I need to test HTTPS requests with OAuth 1.0 as the authentication method. I tried using the deprecated plugins with older versions, and the Blazemeter script for the same, but neither of them work. I just need to pass the Consumer Key and Secret and sign the HTTPS request with OAuth 1.0 using Jmeter. Can anyone help here please?
JMeter has never supported OAuth per se, so I would recommend using JSR223 PreProcessor in order to sign your request.
Check out How to Run Performance Tests on OAuth Secured Apps with JMeter article which has an example of bypassing OAuth 1.0 challenge using Groovy scripting and oauth-signpost library.
The approach is not guaranteed to work for all OAuth implementations as there could be many encryption options so you may need to modify the code according to your infrastructure.
I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api
I have a Grails app that uses the Spring Security plugin for authorisation/authentication. I would like to also offer users the ability to register/login via Facebook. I need to integrate Facebook login/registration with the Spring Security plugin, such that (for example) if I call
springSecurityService.getCurrentUser()
it will return a user object for the current user regardless of whether that user logged-in with Facebook.
I've found a variety of plugins and blog-posts that propose a solution, but I'm not sure which (if any) will work with the most recent version of Grails (2.0.0.RC1) and the Spring Security plugin.
Can anyone recommend which of these plugins/procedures I should try or should I just work with the Facebook API directly? I read somewhere that using a plugin may be inadvisable, because the Facebook API changes frequently (and there will inevitable be a gap between the time Facebook make these changes and when a compatible version of the plugin is released).
Actually I can't be unbiased there, because I'm the author of http://grails.org/plugin/spring-security-facebook
Btw, can say that this plugin is compatible with Grails 2.0RC1. And i've an grails 2.0 project using this plugins.
PS I you have any questions or found a bug - you can contact me directly
As the author of the "blog-posts" you linked above, I'll say that my guide was done using a Grails 2.0 milestone release and should work with the latest release of Grails and Spring Security.
The spring-security-facebook plugin worked when I tried it last and probably (now) has the latest OAuth2.0 fixes in place, but at the time of the writing for my post, those changes were still in progress.
The choice between using the plugin and not using the plugin is really a balancing act between convenience and control. While Facebook's API changes will probably slow down as the platform matures, which should give people more confidence in the plugin, there will always be inherent risks when adding these additional layers of abstraction.
For me, I found the implementation of Facebook and Spring Security relatively trivial and prefer the extra control knowing that if/when the Facebook API changes, I or one of my developers can go and address the change without having to rely on a third-party, plugin support team has time to fix my issues.