Load testing is one type of testing among the different kinds of performance testing that determines the performance of the system in real time load conditions. The role of APIs has evolved a lot over the past few years. When APIs were only used for tasks such as extracting reports, their performance was never a key factor. However, APIs have slowly moved towards the critical path between an end user and the service company offers, which is very critical. Since more and more organizations are using APIs for providing their services, its security and performance became a key factor. Here we are going to discuss about an API security mechanism, which is called as OAuth 2.0, and how can we do load tests on OAuth Web APIs.
What is OAuth?
OAuth is the industry-standard protocol for authorization. OAuth focuses on client-developer simplicity, while providing specific authorization flows for web applications, desktop applications, mobile phones, etc. This specification and its extensions are being developed within the IETF OAuth Working Group. OAuth is commonly used as a way for Internet users to log in to third-party websites using their Microsoft, Google, Facebook, Twitter, Slack accounts, etc., without exposing their password.
OAuth 1.0 is suspected of security flaws and withdrew its support. OAuth 2.0 is the latest, with more advanced security features. OAuth 2.0 allows users to share specific data with an application, while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files. According to the OAuth website, It’s like a car valet key. Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your on-board cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key while using your regular key to unlock everything.
Why Load Testing OAuth Web APIs is Important
Whatever is your role in an organization, at least once in a while you would have heard about an API. So what is API? An API stands for Application Programming Interface. An API is a set of rules and instructions for how to communicate with an application when a user accesses an app through internet. A request could be as simple as this:
If you think functional testing is enough for you application and that is what all customers care, you would be incorrect. What if your website goes live in conjunction with a marketing campaign and thousands of potential customers start to log in. It’s only then you realize that your customers are encountering errors during the login process. From that moment on, you are losing potential business and your organization’s image.
To avoid this humiliating situation, load testing is applying the traffic you expect to see in production, systematically to your application servers, in order to determine how the application behaves before it goes live. If you have implemented OAuth, you can carry out API load testing by simulating multiple users sending requests to your server at the same time. There are different ways that you can run load tests, but API load testing is one of the easiest methods and most cost-effective options. That’s because it’s simple to script and there are a lot of industry open-source tools that you can use to generate and execute your scripts.
If you are not familiar with API testing and how load testing works, here is a good article where you can gain some knowledge on API testing.
An API request in LoadView can be done in two ways: using the EveryStep Web Recorder to record a script or an HTTP task. You can record the API using an application that uses the API or using the LoadView solution. Also, it’s very important that if your application uses a third-party API, you need to load test these APIs as well to make sure they adhere to your requirements.
Here we are going to explain the OAuth 2.0 flow with the help of the LoadView solution. LoadView is an on-demand load testing platform that makes realistic load testing possible without an up-front investment in hardware or software infrastructure. The application that we are going to load test is a health application used by doctors.
From here on out, we will refer to the target application as “health application.” The health application is hosted in Azure and they have used Microsoft OAuth 2.0 services during the login process, so the doctors can access and can login with their hospital email address which is already registered. Basically, this application will provide all the details about a patient history.
OAuth 2.0 flow is specifically for user authorization. It is designed for applications that can store confidential information and maintain state. A properly authorized web server application can access an API while the user interacts with the application or after the user has left the application.
Here is the step-by step-guide which will show the OAuth 2.0 flow, along with corresponding LoadView configurations for performance testing.
There are only two actions in the flow, but it depends on the developers need if they will do it with multiple sequences of the API. An OAuth 2.0 API configuration and complexity will change based on the application security and developer requirement. It’s never a one-size-fits-all process.
There are two ways to load test OAuth 2.0 using LoadView.
- Request developers for the sequence of API’s OAuth authentication. This is the simplest and straight forward. Else use Load view
- Record it using the EveryStep Web Recorder scripting tool. You can try out the recorder for yourself here.
Using the EveryStep Web Recorder is easy to use and is more effective and efficient, since we don’t need to depend on developers.
Process 1. OAuth 2.0 Load Testing Process with the EveryStep Web Recorder
Step 1. Access the EveryStep Web Recorder.
Step 2. Enter your application’s URL and select Record Now.
Step 3. Follow your application’s login scenario.
Step 4. Verify all the application’s details.
Step 5: That’s it. Replay and make sure it’s working. Simple right? Once the recording is done, configure it in the LoadView platform and perform your load test.
Process 2. Using OAuth 2.0 API sequence using LoadView
Note: There are two actions required for to complete the OAuth 2.0 process.
Action 1. Get authorization code
Action 2. Exchange the authentication code for an access token
Note: You need to request API server request details and body data details from Development team
Step 1. Create your LoadView account and go to the LoadView dashboard for selecting the API type for testing.
Step 2. For demo purposes, we’re selecting HTTP/S. Your situation may differ depending on the API service type.
Step 3. Configure your API Request to hit the application API server.
Step 4. The API server redirects to login page saying, to access the data: login with Microsoft (OAuth provider) to access the page. You can see OAuth 2 in the URL.
Step 5. User enters the email address and password and click login, enters their username and password, and then allows access to application. Auth server redirects the user to your website with a code as parameter in URL.
Step 6. API server asks Auth server for user information for the given access token. Auth server returns details about userid, email, etc.
Step 7. API server identifies the user, and sends the response along with access token. Client sends the access token to the API server in the below request. API server checks if access token is valid give access to application.
Wrap Up: Load Testing OAuth Web APIs
Correlating and configuring OAuth 2.0 requests is not an easy task. You need experience and clear understanding of how OAuth works for your application. Since OAuth is enabling very important functionality of any application, it’s very important to carry out performance testing of OAuth APIs for your application. If you are using any other open-source tool, such as JMeter, You can convert JMeter tests to LoadView. JMeter is not a performance testing solution like LoadView, it’s just a load thrower. We need a good performance testing solution like LoadView to execute end-to-end performance testing.
Learn more about LoadView and sign up for the free trial. You’ll receive $20 in load testing credits to start.