In my jmeter web recording, I have an api/authenticate part which generates the token which has to be used
in subsequent requests. I did the part of correlation too. But the problem I face now is, the api/authenticate throws a session still persists error after sometime. In my script I have log out option too. In api/authenticate I am providing username and password in the headers. Since the session exists error is there, I can't get the token in the response body. Is it something that developers can fix for us? can you please help me with this? Or is there any request which is missing above this authentication part which jmeter didn't capture? I have authentication header manager added to my test plan to clear
authorization every iteration. Also cookie manager and cache manager. Nothing clears the session.
For well-behaved application "log out" request should clean the session, if it doesn't - you need to report it to your application developers.
Also check the token response, it might be the case it has some time to live and if this is the case the token persistence could be a part of your application functionality so if there is a username/password combination associated with the token you should be using it until it expires before getting the new one. So you can write the token and its expiration date into a CSV file using Flexible File Writer and use If Controller to check whether the token is still active or not
Related
I need to perform one app that is signed in via login.microsoftonline.com, but I get this error "We can`t sign you in your browser is currently set to block cookies. you need to allow cookies to use this service." maybe someone else has experienced something similar.
I tried changing HTTP Cookie Manager type from standart to others, also I used CookieManager.save.cookies with true and false but nothing worked.
HTTP Cookie Manager
request
error
You're not supposed to have the request to login.microsoftonline.com as the very first request in your JMeter script.
My expectation is that you're trying to test an application which uses Microsoft Identity Platform as authentication provider so depending on your application auth flow you need to pass some parameters to this login.microsoftonline.com page and the parameters need to be extracted from the previous request.
So try starting with your application login page and I believe you should be redirected to the login.microsoftonline.com with valid cookies and appropriate parameters
I'm unclear about how OAuth2 (or at least google's implementation of it) works for server applications as far as redirect_url is concerned.
I'm trying to achieve three use cases:
Case 1:
A user who has never logged in logs in through my web interface using the well-documented tools found in the google identity management API, which produces a token.
My javascript client sends the resulting token along with username (or anything else needed) to the server.
The server uses the token and additional information to make sure the user is authenticated and has access to some resource that is requested, for instance basic login.
Case 2:
A user has already logged via web page and their token is available as a cookie that has not expired, and the initial page forwards that to the same token checking mechanism as above.
The server uses the token to validate their session.
Case 3:
A user is accessing my server from an app (like Unity or some other compiled Qt application or even on a command line) and is prompted for credentials because no token can/should exist when cookies aren't a thing in this context.
If their credentials are no good, the application says so, and asks for new ones.
If the credentials are good, a token is generated but is probably not used except if the token needs to be refreshed at some time interval, because we assume that re-running the app or command line is effectively a new session.
None one of these cases requires my server to use the redirect_url (except maybe the case of #2 where the token is expired), because:
Case 1, the user would have been unable to pass a token in the first place if they can't log in, and would have been redirected before that.
Case 2, the server accepts the token and doesn't redirect, or rejects the token and only then may redirect them back to the initial state of Case 1, but the server already wants to redirect them because the token is invalid, so I don't need/want the redirect_url from oauth.
Case 3, we are assuming there is no browser and don't care about redirect_url in any case no matter what.
As my code works now, using: https://developers.google.com/identity/protocols/oauth2/web-server there is always this redirect_url field which I don't know what to do with, and when I execute REST commands I'm getting raw html back which includes self-submitting javascript instead of useful headers.
I can see a case for exposing some URL on my server to validate an oauth2 session/token from google during authentication, for instance, but that would be a validation url, not a redirect_url, because the user/server doesn't "go" to that url at that point in the process.
So, I don't know what to do with redirect_url because when I leave it out, things don't seem to work.
There's a lot going on in this question, so I don't really know the type of answer you're looking for. I wrote our code for authenticating our Qt app with Google SSO, and wrote the linked post discussing the problems we faced.
One thing I found confusing in the documentation and provided examples is that when defining an app in the Google console, if your client is a desktop one, there's no field for redirection URLs. Instead, the client specifies it when initiating the authentication flow, and then it's expected to open a transient server that listens for the return connection from the Google side. There's no point declaring it on the Google console because it cannot be validated unless the client app is running at the moment, and even then, it's typically a hardcoded URL like http://127.0.0.1:1234/ as you would expect.
My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.
I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?
I have a Mule application which uses the Salesforce connector.
When I started developing this application, I first used oAuth to connect to Salesforce, but it kept giving me the following error: Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session key: <key>, so I switched to basic authentication for Salesforce.
This has worked great, but now, after some time, the application still throws the Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session key: <key> error.
This is unexpected behaviour, since each request contains the username, password and secret token.
It looks to me like some old version is in the Mule cache or something, which makes it want to use the oAuth method again. Is this a possibility?
Any ideas on how to fix this?
#Sytze You need to check the flag in the Salesforce connector for all applications sharing the same user credentials to Disable session invalidation (disableSessionInvalidation="true"). What is likely happening is one of your other applications is invalidating the session while your current app still believes its active.
In the connector configuration , check for the correct Token code ( generated via sfdc ) .
Update the latest code and try again
Your security token that you add with your password while calling it would have expired. Create a new token for you account/email-id in salesforce and use that and it should work
Best would be to use the oAuth to call salesforce.