Testing OAuth based Services

Load testing a service that utilizes OAuth for authentication and authorization can be a bit challenging. Note that there are many different flavors of OAuth and we won't discuss them all.

What is OAuth?

The OAuth 2 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth 2 is used in a wide variety of applications, including providing mechanisms for user authorization.

It allows third party services to use the end-user information without revealing their personal credentials.

If you want more detailed information how OAuth 2 works visit oauth.net or this simplified article by Aaron Parecki.

How to load test with OAuth 2 authorization

There are multiple approaches on how to test an OAuth based application. The following steps have been working out pretty well so far:

  • You don't need to test your OAuth service
  • Prefer to only make requests to the system you want to load test
  • Calling an identity provider during the load test impacts the performance and will return inaccurate results
  • Provide bearer tokens as fixtures and do not create them dynamically
  • Send bearer token in request header
session.get("/users/1", {
  headers: {
    "Authorization": "Bearer RsT5OjbzRn430zqMLgV3Ia"
Icon Support Are you stuck? Or do you have any feedback? Get in touch with us – we are happy to help you.
Icon Schedule a demo Schedule a personal, customized demo. We'll show you around and introduce you to StormForger.
Icon Talk to a human To build and run reliable applications is complex – we know. Schedule a call and we’ll figure things out.