Performance Testing of OAuth 2.0 Secured APIs using JMeter

Author: Peeyush Kandoi


There are two main keywords in the headline: one is OAuth 2.0 and the other is JMeter. Both terms are very familiar to all of us.

OAuth 2.0 – According to OAuth‘s website, the protocol is not unlike a valet key-

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key while using your regular key to unlock everything

JMeter – Apache JMeter is an Apache project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services.

OAuth 2.0 Flow

This is a generic flow irrespective of the Authorization Grant Type that we need to pass while sending Authorization Grant request to get the access token.

As per the flow, we can see that to call an OAuth 2.0 secured API, we need to first call the token URL to get the access token, and then we use that access token to call the main API. 

One way to do this in JMeter is to get the access token using postman and then use that access token in the main API call which is implemented in JMeter. But it will be an extra effort and also it will hamper the throughput of our application in JMeter.

So for this, we will see how we can implement both the API calls in JMeter itself and how the generated access token will be used to call the main API.

JMeter Configuration

1. Create HTTP Request corresponding to the API that is responsible to generate the OAuth Token

a) Add a HTTP Request element: Thread Group -> Add -> Sampler -> HTTP Request

b) The above HTTP Request is to call the token API to get the access token. We are using the client credentials grant type in this example. Below are the details of all the required parameters like client-id, client-secret, grant_type, and scope that we need to pass as parameters.

c) There are two ways to extract the token value- 

  1. Add ‘JSON Extractor’ (Add -> PostProcessors -> JSON Extractor) under HTTP Request. We will use it to fetch dynamic access tokens coming from the response. The configuration is as shown below 
  1. Add ‘Regular Expression Extractor’ (Add -> PostProcessors -> Regular Expression Extractor) under HTTP Request. We will use it to fetch dynamic access token coming from the response. The configuration is as shown below 

2. Create another HTTP Request which we will be using to call the main API passing the access_token which is already generated by previous HTTP Request. Below is the configuration for this HTTP Request-

For extracting the value of access_token from previous HTTP Request, we need to use BeanShell PreProcessor (Add -> PreProcessors -> BeanShell PreProcessors) here as shown below. It would add Header in the request of this call with name as ‘Authorization’ and value as ‘Bearer ‘ ++ <<generated access token>> 

3. We will use CSV DataSet Config (Add -> Config Element -> CSV DataSet Config) to pass the payload in the request dynamically- 

Summary Report

Below is the Summary Report after configuring the number of threads as 1, we can see below we got 1 request each for HTTPRequestGenerateToken and HTTPRequest Main call.

View Results Tree

Below is the response of HTTPRequestGenerateToken call and we can see in the output

Response Header

Response Body


We saw in this blog that we can test OAuth 2.0 secured APIs using JMeter. I hope you got to learn something new from this blog.

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.