JMeter Authorization with dynamic access token(Bearer) and generate test data dynamically
Authorization with dynamic access token is used to pass the dynamic response content to the subsequent requests which can be further used in APIs to validate the authenticity.
For example, these days applications generate an access token in response to a valid login request and further use it in all the subsequent request(s) to check the authorization of users.
In this article we’re going to set up a quick prototype for handling Token-based authentication with our favorite load testing tool — JMeter.
If you already have your Postman Collection in your hand can simply convert it through Loadium otherwise follow the below steps one by one.
Link: https://loadium.com/postman-to-jmeter-converter/
- A Test Plan (this should be present by default when opening JMeter)
- A Thread Group
- View Results Tree
- HTTP Request — for authentication
- JSON Extractor — to extract the token
- HTTP Header Manager — to append the token for subsequent requests
- HTTP Request — the actual request to be tested
I have already my Postman collection so I converted it into Jmeter (.jmx) file and got the following screen(Test Plan) when I opened the .jmx file in Jmeter.
- Test Plan (Jmeter_IAM):
In the above screen, Jmeter_IAM is the Test Plan, Http URL/API Test is the Thread Group, Http Cookie Manager is added by default by the Loadium converter, Connect _Token is the 1st HTTP Request — for authentication and Create_User is the 2nd HTTP Request — the actual request to be tested. Finally I have added some user defined variables which are needed to run the script.
2. Http Request(Connect_Token):
Through the Connect_Token HTTP Request we send our initial authentication request to the server which accepts some parameters (for example: Client_id, grant_type etc.) and generates an access token in response, which could be used later in subsequent authorization requests.
3. Create a listener ‘View Results Tree’:
TIP: Right click Test Plan(Jmeter_IAM) > Add > Listener > View Results Tree
Now run the script and you will get the following result in tree:
Here we can see that we already got the access_token from Connect_Token request and Create_User request failed because we didn’t add the access_token authentication yet in Create_User request.
4. Add ‘JSON Extractor’ under ‘Connect_Token’ Request:
TIP: Right click HTTP Request(Connect_Token) > Add > Post Processors > JSON Extractor
This is the most important step. We will use it to fetch dynamic access token from the response of Connect_Token Request. See the below screenshot-
We will have to set following parameters for ‘JSON Extractor’:
a) Names of created variables: Name of the variable in which the extracted value will be stored. In our example, it is auth_token.
b) JSON path expressions: Here I have used $.access_token (expression stats with $ symbol) because from View Result Tree screenshot (Refer to Fig#3) I can see access_token is a 1st level element so I put single dot and element name is access_token, if it was a 2nd level element then I have to put two dots Ex: $..access_token
c) Match No.(0 for Random): Tells which match should be picked. 0 is used for random. As there is only one access_token in JSON response so it should be 1.
d) Default Values: In case of no match which value should be picked. Here I gave TokenNotFound. If access_token is not found then variable auth_token will the hold the value TokenNotFound.
5. Add ‘Debug Sampler’ to verify whether value is stored in variable auth_token:
TIP: Right click Thread Group(Http URL/API Test) > Add > Sampler> Debug Sampler
Debug Sampler which is the best way to troubleshoot script variable. Now run the script and from View Results Tree you can see that access_token value is stored in auth_token variable successfully.
6. Add ‘HTTP Header Manager’ under ‘Create_User’ request:
TIP: Right click HTTP Request(Create_User) > Add > Config Element> HTTP Header Manager
Here Create_user HTTP Request is the subsequent requests which requires access token in the authorization request.
Add HTTP Header Manager under Create_user request. This is the second most important step. Generally, for applications, it includes all the header requests which should be passed with the HTTP Request. Most importantly we have to pass the token as a Header something like this: Bearer ${auth_token}
7. Add ‘BeanShell PreProcessor’ under ‘Create_User’ request:
TIP: Right click HTTP Request(Create_User) > Add > Post Processors> BeanShell PreProcessor
Remember when setting up JSON Extractor earlier, we used Names of created variables as auth_token? Refer to point #4. It is being used here.
Add below code in the script section:
The script that is mentioned in this step, will pass the auth_token value in the Authorization Header for Create_User Request. See the following screenshot-
8. Use some built-in JMeter random functions and variables to generate dynamic data while creating user:
Here I have used:
${__UUID()} for creating dynamic externalId, ${__RandomString(11,123456789)} for creating dynamic phoneNumber,
${__RandomString(20,abcyutrd@fghjk@test.com)} for creating dynamic email
for executing uninterrupted load test as these field must be unique while creating user.
You can read more about JMeter Functions and Variables here.
9. Now run the script and see the result in View Results Tree:
Here all we can see that both request is successful and from Create_User Request tab we can verify that Authorization header has the value BEARER + access_token
We can use ‘JSON Extractor’ to capture any dynamic data from the response and then it can be sent to subsequent requests using ‘BeanShell PreProcessor’. This approach makes it very simple to test APIs in which we need to get authentication token from the server and then passing it on all other requests.
