Introduction
In the previous post on this topic, we’ve setup a simple JMeter performance test which is making HTTP Calls to a .NET Core API Endpoint.
The test we performed, was making calls to an unauthorized API Endpoint. Today, we will see how to make HTTP calls to an endpoint which is protected by JWT authentication mechanism. We all also learn few more items in JMeter.
This is how our current Test setup looks like:
Get User Authentication Token
I am assuming you are aware of how JWT works in APIs. I also have written few posts on this topic, you can refer to those if you are totally new to JWT.
The process is very simple. To make an HTTP call to an authorized endpoint, we shall include bearer token to our HTTP Request as an Authorization header. That means that first, we need to get a bearer token by providing username and password, store it somewhere and then use it in different HTTP Calls as an Authorization Header. Here are the steps
- Get JWT (bearer token) by providing a username/password to API Endpoint.
- Use it in authorization header for HTTP calls to authorized endpoints
In our target .NET Core API, we have an endpoint which provides a token as shown below:
Let’s setup a new Thread Group and HTTP Request to get this token.
Getting JWT Token
Setup HTTP Request
First, create a Thread Group (JWT) and an HTTP Request to send username and password to the API Endpoint as shown below:
Now, if we click the green execute button, we can see that it resulted in an error which we can see by clicking View Results Tree:
To fix this issue, when can setup an HTTP Header Manager, which we will do next.
Add Http Header Manager
Add an HTTP Header Manager by right-clicking the newly created HTTP Request.
Once it is added, we can add/update it with content-type to application/json as shown below:
Now, if we execute the test again, we can see that the request succeeded and we have the bearer token (JWT) in response data:
Next, We can use this bearer token in our Http Calls to any protected endpoint. For extracting purpose we can use another component in JMeter, called JSON Extractor.
JSON Extractor to Extract Bearer Token from HTTP Response
Similar to HTTP Header, we can add a JSON Extractor for our HTTP Request as shown below:
Once added, we can configure it to extract the bearer token from HTTP Response and put it in a variable:
Now, we can run our test again and the JSON Extractor will extract the bearerToken and put in a variable called token.
But, how can we see this newly created variable? we can use a Debug sampler to our JWT Thread group as shown below:
By simply adding this, if we run the test again, we will find an additional debug output showing various JMeter variables as well as the newly created token variable and its value, as shown in pic below:
So, we have the bearer token retrieved in a variable, now we need to use it to make authorized calls to API.
Making Authorized Calls to API
Here is the protected endpoint in .NET Core API for our reference:
So, lets setup an HTTP Request to test this endpoint. By now, you know the drill and following is the image of request setup to make this call:
If we execute the test, it will result in an error (unauthorized), which makes sense coz even we have the JWT but we did not send it yet along with our HTTP Request to protected endpoint. See the error image below:
Adding Bearer Token to HTTP Request
Add an HTTP Header Manager item for GetData Request as shown below:
If we try run test again again, it will still not work. This is because we need do one more thing to get it properly setup.
Add a BeanShell Assertion item Under GetToken request as shown below:
Once it is added, add the following script to it:
${__setProperty(token,${token})}Here is how it looks in JMeter window:
Now, if we execute the test, this time we can see that our HTTP Request is successful and we are able to call the protected endpoint, following is the result from the test run:
Running the whole Test Plan
We can also run the whole test plan and can see the HTTP Requests and the corresponding matrices:
Summary
In this post, we setup a test which make HTTP calls to a protected endpoint. We saw that how to extract item from JSON data (bearer token), then use this bearer token as an Authorization header to subsequent calls.
We also learned some new items in JMeter e.g. Debug Sampler which is useful for debugging purposes. We also saw JSON extractor, HTTP Header Manager and did some scripting (BeanShell Assertion) along the way.
You can download the sample JMeter Test Files from this git repo.
JMeter is very flexible and offers a lot more other options which we can use as per our requirements and I will try to cover some more details in upcoming posts. Let me know if you have some questions or comments. Till next time, Happy Coding.