There is a task to load test the front web rest api. Resta protected by OAuth with Authorization Code Grant. This means that there is a need for a valid token for Authorization: Bearer TOKEN.
Question - how to get it? And so do it beautifully and correctly? I don’t know here.

In this article I described the quick solution I came to and which I don't quite like. It looks like a crutch, although I have not googled anything silver. Therefore, if you know the best solution - be sure to tell about it in the comment... So...

There is a common sample system with a web rest front and a typical Single-Page-Application browser client in JS. Authentication and Authorization - KeyCloak with Authorization Code Grant + brokering.

It is necessary to provide regular load testing of front-end rest services.

The task is quite simple, if we have tokens that we can simply insert into the header and use JMeter to generate the necessary stream of requests. Here I stumbled, the web browser receives the token simply and naturally (KeyCloak JS), but I still do not understand how to get it without the browser using the method of successive HTTP requests and without executing JS...
The token in the system is checked directly in the rest service, and not on the API Gateway. It is impossible to disable the check because there is no such possibility. It just won’t work without a token.

Next, we thought, why not use the functional end-to-end Selenium tests we have, but quickly abandoned this because the required resource of simultaneously working browsers turned out to be quite large. For a minimum of 50 threads, we needed 50GB + 25 cores. However, this gave us the idea that the token can be obtained through Selenium, and then passed it to JMeter for use.

As a result, MVP was quickly made according to the following scheme:

  • Increase token lifetime for test environment
  • Disable caches in the system to simulate the uniqueness of users.
  • Using the Selenium application, we follow the login procedures of the test group of users and dump their tokens into the file. To read the token, use a JS call through WebDriver - return keykcloak.token;
  • Using JMeter we conduct load tests using user tokens
  • Everyone likes JMeter Report

ITKarma picture

We set the token life time to 36 hours. We pick up the secondary authorization code directly from the corresponding database. Login time per user is about 10 seconds, which gives us 360 tokens per hour. This allows you to easily prepare enough of them if you wish.

Now, the operator runs selenium on a dedicated laptop to collect tokens at night, and in the morning the prepared token file is ready and you can run JMeter for the load.
The scheme works, the customer is satisfied with the simplicity and low cost of the solution, and offers to transfer it already to normal rails with a couple of containers and launch from Jenkins.

But the solution seems to me crooked. Well, there must be a way to do without selenium! Write if anyone knows. I could not google anything on the subject of testing OpenID & amp; OAuth2 with the Authorization Code Grant .

Source