My latest project have changed the authentication that generates a JWT token, but everyone here is actually grabbing the token manually to do their front end automation and performance testing - which is ridiculous - so I want to automate the process if possible for my api testing.
You'll have to forgive me - I don't know much about JWT authentication - I understand the very basics - but that's about it - so I could do with a little advice in case anyone has done something similar before.
The way they're doing it manually is to launch a webpage (enable Chrome's Developer Tools) input a username and password and once logged in - you can see the initial POST (for the successful login) and then multiple GETs as various resources (.css, .json, .png's etc.) are retrieved. One of these GET requests (that you can see after the initial POST) includes the token value as the GET's query parameter.
e.g. the relevant GET's format is as follows:
I then set the authorization profile to the OAuth 2.0 JWT Bearer (which was a total guess on my part), completed the profile creation, pasted the tokenvalue into the field (screenshot attached) and submitted the request and it worked!
The token last for 8 hours.
So - I can manually grab the token - but this isn't automated. The whole dev team I work with are very junior - so I can't ask them questions about this (yes I know, it's a ridiculous situation to be in) because they just wont know the answer. I can see in ReadyAPI! there might be a way to retrieve the token using some OAuth profile - but the developers dont even know what OAuth profile we're using (a totally different external team developed the authentication and I cannot contact them - again - ridiculous).
I was thinking I might not be able to use the out the box OAuth JWT token retrieval functionality because I dont know what I dont know and I cant ask anyone the questions I need asked.
HOWEVER - I was wondering - considering the token value is actually a query parameter value in one of hte follow up GETs after the initial login post - is there anyway I can could grab the queryparm value from one of the many (about 10 to 15 GETs) that are made?
I've never actually seen a login request in SoapUI emulate logging into a front end resource, so I haven't got an example in my previous experience where multiple GETs were made after an initial POST in my testing.
Can anyone advise? I know it's crazy to not be able to ask the development team the relevant questions. They can't even tell me which grant method I should be using or anything at all and they cant tell me all the parameters required to emulate the POST that is the initial login (username/password) request. I'm having to record a script in JMeter to actually work out what parameters I need to submit to emulate the login POST.
I'd welcome any advice.....I'm trying to read up on OAuth as best I can - so I can work out all the different considerations i need - e.g identifying the right grant method I need to use etc.
I hope I've been clear - I know sometimes I'm not!
Thanks to all!
Solved! Go to Solution.
I've found out - they're using OAuth v2.0 with Authorization Code as the grant type - but the solution is a total bodge on that pattern.
The developer has managed to set it up in postman and just to get the authorization token takes 16 sequential REST requests!
I'm just gonna grab the postman collection! 🙂
I marked up your response as the accepted solution because this is the only way to close the ticket. and because you did try and help me.
Essentially the whole OAuth v2.0 authentication process is a total bodge and only partially relates to the Authorization Code grant type - ReadyAPI! supports the functionality to support this grant type - but the whole process has been customised to the point it bears no resemblance and isn't transferrable - hence the reason why I didn't add the solution of what I'm doing
The process I'm using has 16 REST requests (a couple POSTs but mostly GETs) and nowhere else would use this approach. Essentially the Technical Architect that was supposed to be reviewing the solution left and the developers did whatever they could to get the process to work - but architecturally - the approach is an antipattern and would never, ever be used elsewhere.
If perhaps one of the forum admins would be able to delete the post - that would make more sense - @Olga_T - is there any chance you could delete this topic? ta
I understand that the situation you faced is very specific, and there is a possibility that nobody else will face it.
However, I would prefer to leave the topic as it is - this may give other users some thoughts or directions where to move forward.
This is what we have a community for. Sometimes, we cannot give the only one solution. However, we can give clues and suggestions for other community members. Does it make sense?
you guys are right - there is still some transferrable stuff that I can publish that might help some people. I'm just finishing off the automation now and once it's complete I'll review and then publish the generic steps I think would help people,
Thanks for sharing your investigations you've done to find solutions. We really appreciate it!