Authorization using XSRF-TOKEN

82 views
Skip to first unread message

Ajith md

unread,
Oct 3, 2023, 12:35:39 PM10/3/23
to codename-taurus

Hi,

I need to invoke a URL, using both Authorization Bearer token and X-XSRF-TOKEN.

Scenario in detail: 

  1. Get Authorization Bearer token from IAM URL.
  2. Pass above token to Second URL and get X-XSRF-TOKEN.
  3. Do the performance test for the Third URL, by authenticating it using the above two tokens.

.yml file

scenarios:

  iam:

    variables:

      userToken: no token

      xsrfToken: no token

    requests:

      - url: https://URL1

        method: POST

        label: iam

        body:

        headers:

        extract-jsonpath:

          userToken: $.access_token

      - url: https://URL2

        method: GET

        label: token

        headers:

          Authorization: Bearer ${__base64Encode(${userToken})}

        extract-jsonpath:

          xsrfToken: $.xsrf-token

      - url: https://URL3

        method: POST

        label: home

        headers:

          Authorization: Bearer ${__base64Encode(${userToken})}

          X-XSRF-TOKEN: {xsrfToken}

        body-file: bodyFile.txt


First two URL’s are working fine, but the third one fails with exception: “HTTP Status 403 – Forbidden” (error message from in error.jtl file).

The same URL’s are working fine in postman requests.

Required executor is jmeter.

I am not sure if I am passing the token correctly. Request your support in resolving this exception.

DT

unread,
Oct 4, 2023, 2:06:49 AM10/4/23
to codename-taurus
You need to ensure that Taurus (JMeter) sends the same requests as Postman does. Once you configure JMeter to send exactly the same requests as Postman does (apart from dynamic parameters which need to be correlated) the "exception" will be resolved.

A couple of hints which might be useful:
  1. If you run Taurus as bzt /path/to/your/test.yaml -gui it will open JMeter GUI and you will be able to run the test and see requests and responses bodies including any variables in the View Results Tree listener.
  2. It's possible to amend Taurus results file configuration to store requests and responses details. See CSV File Content Configuration and How to Save Response Data in JMeter articles for more details.
  3. Normally it's not needed to encode tokens, they should be passed as they are, I believe it's sufficient to remove the __base64Encode() function and your test will start "working fine"

Ajith md

unread,
Oct 4, 2023, 4:57:13 AM10/4/23
to codename-taurus

Thanks a lot for the quick response.
Could you please provide some insights for the below updates ?


Tried the hints provided above.
Hint 1:
In the gui (JMeter-> Request-> Request Header), its showing X-XSRF-TOKEN not found. 
But the X-XSRF-TOKEN is present in -> (JMeter-> Request-> Request Body)

X-XSRF-TOKEN: NOT_FOUND

Also tried by modifying the code as below:

X-XSRF-TOKEN: 

            xsrfToken: ${xsrfToken}

Output in JMeter

X-XSRF-TOKEN: {'xsrfToken': 'NOT_FOUND'}

Hint 3:
Didnt worked if I remove __base64Encode(). 

Hint 2:
Yet to be tried.



DT

unread,
Oct 4, 2023, 5:41:53 AM10/4/23
to codename-taurus
It looks like a typo, you need to change this line:

X-XSRF-TOKEN: {xsrfToken}

to this one:

X-XSRF-TOKEN: ${xsrfToken}

if it "doesn't work" again check your JSONPath expression against the real response data using "JSON Path" tester mode of the View Results Tree listener. Additionally make sure that the variable exists and has its anticipated value using i.e. Debug Sampler or Debug Post-Processor.

Ajith md

unread,
Oct 4, 2023, 7:17:12 AM10/4/23
to codename-taurus
Thank you..
Tried by updating the typo also, as mentioned above. Still its failing.
Will explore using JSON Path and Debug Sampler as mentioned above. 

Ajith md

unread,
Oct 4, 2023, 10:45:02 AM10/4/23
to codename-taurus
Thank you for your support and hints.
X-XSRF-TOKEN was having null from the previous response. It is available in Cookie, not in the json response.

Reply all
Reply to author
Forward
0 new messages