Performance testing apps that rely on OAuth is a bit of a pain, whether you’re using JMeter or otherwise.
Assuming you’re using the server-side/authorization code OAuth2 flow (which is the most common), the
code parameter is a short-lived, one-off value generated by the authorization server (Microsoft in this case) and returned to your app via a URL query parameter when the user is redirected back from the login page. Your app takes this code and makes an API call back to Microsoft, validating it and swapping it for an access token that can be used to authenticate further calls.
There are two pain points when load testing this kind of setup:
- You have to automate the login flow, which will take you off your own domain into the auth server’s, and require you to correctly interact with the login form. This will mean parsing and using CSRF tokens correctly among other things.
- SSO providers will usually start rate limiting you or even ban your API key if you run load against them from a single IP address.
The solution I’d recommend is mocking the OAuth2 authorization server. This gets you round the rate limiting problem and means you can work with a login flow that’s far easier to script with JMeter and others. It also means you can run negative/degraded tests far more easily.
My company’s product - MockLab - can help you here. It has a template for a generic mock OAuth2 server which can be substituted for Microsoft, Google etc. SSO, and you can use the free public version up to 10 requests / second. See here for an overview and here for more detailed docs.
Happy to lend a hand if you want to give MockLab a try.
Also, I co-wrote a blog post about mocking OAuth2 using open source tools. It’s focussed on Spring apps, but the mocking bit can be applied to any app using OAuth2.