OAuth Testing

Load testing a service that utilizes OAuth for authentication and authorization can be challenging. There are many different flavors of OAuth. We discuss a few.

less than a minute

Load testing a service that utilizes OAuth for authentication and authorization can be a bit challenging. Note that there are many different flavors of OAuth and we won’t discuss them all.

What is OAuth?

The OAuth 2 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth 2 is used in a wide variety of applications, including providing mechanisms for user authorization.

It allows third party services to use the end-user information without revealing their personal credentials.

If you want more detailed information how OAuth 2 works visit oauth.net or this simplified article by Aaron Parecki.

How to load test with OAuth 2 authorization

There are multiple approaches on how to test an OAuth based application. The following steps have been working out pretty well so far:

You don’t need to test your OAuth service
Prefer to only make requests to the system you want to load test
Calling an identity provider during the load test impacts the performance and will return inaccurate results
Provide bearer tokens as fixtures and do not create them dynamically
Send bearer token in request header

session.get("/users/1", {
  headers: {
    "Authorization": "Bearer RsT5OjbzRn430zqMLgV3Ia"
  }
})

Last modified August 3, 2022