Load testing a service that utilizes OAuth for authentication and authorization can be a bit challenging. Note that there are many different flavors of OAuth and we won’t discuss them all.
What is OAuth?
The OAuth 2 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth 2 is used in a wide variety of applications, including providing mechanisms for user authorization.
It allows third party services to use the end-user information without revealing their personal credentials.
How to load test with OAuth 2 authorization
There are multiple approaches on how to test an OAuth based application. The following steps have been working out pretty well so far:
- You don’t need to test your OAuth service
- Prefer to only make requests to the system you want to load test
- Calling an identity provider during the load test impacts the performance and will return inaccurate results
- Provide bearer tokens as fixtures and do not create them dynamically
- Send bearer token in request header
"Authorization": "Bearer RsT5OjbzRn430zqMLgV3Ia"