Testing a web application using JMeter with keycloak authentication
I am trying to test my web application using JMeter which is protected by keycloak IDP. But when I try to login using the credentials the login fails saying "Please login from the client" and keycloak logs on the server says:
2021-04-16 11:10:05,316 WARN [org.keycloak.events] (default task-400) type=LOGIN_ERROR, realmId=my-realm, clientId=null, userId=null, ipAddress=10.x.x.x, error=invalid_code
attaching the screenshot of the request I recorded using Blazemeter chrome plugin, some parameters are being sent, any idea how could we configure this?
login URL :
https://Server_Address/auth/realms/my-realm/login-actions/authenticate?session_code=iXAkZuEnl25URJPfaSd8kaTdnwCqz5CY-pZoZUb33ns&execution=0e502d98-b482-4abc-a7a5-c31d06b1f9c2&client_id=my_client&tab_id=Fa8Ggyqw3tk
Unfortunately you won't be able to just record and successfully replay your scenario without prior correlation of the dynamic parameters.
These execution and tab_id and session_code guys are something you're getting as generated when you're being redirected to Keycloak instance which authenticates the user so you need to extract these values from the previous response and replace recorded hard-coded bullshit you get with the dynamic parameters
The easiest way to extract the values is using Boundary Extractor
Also these parameters should go in query string, not in the request body
Demo:
- Where to store the refresh token on the Client?
- GitHub Clone with OAuth Access Token
- How to get refresh token for "Sign In With Google"
- How can I download a single raw file from a private github repo using the command line?
- How to properly use Bearer tokens?
- Automating access token refreshing via interceptors in axios
- How to log out of Synology SSO Server (OIDC)?
- OAuth not working inside an iframe
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Python Script Token Refresh Mechanism Problem for Spotify API
- Laravel Passport Password Grant - Client authentication failed
- Github, restricting third-party access to organizations
- UiPath CLI - github deployment to uipath cloud
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
- Is is safe to store access token in session storage of client browser?
- Why Google native oauth2 flow require client secret?
- How to use the Requests OAuthlib with grant-type 'Client Credentials'?
- How to get a Google OAuth 2 token for API testing
- Data intent is null in Android using universal links/applinks using react-native-app-auth
- Cognito: User Pool Client OAuth Scope Limitation
- Yahoo! Fantasy API Maximum Count?
- GitLab OAuth access token validity
- Twitter request token invalid on iOS
- Implementing OAuth 1.0 in an iOS
- How to create oAuth in Instagram?
- Swift (Xcode) REST API Connection using OAuth 1
- MapMyFitness API OAuth questions
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0