[Azure Load Testing] - Authenticating - Auth with certificate

Oz Mizrahi 0 Microsoft Intern

I am trying to run a load test for my service, and I need to obtain an AAD bearer token to communicate with my service. Until now, I used secret-based authentication and use the GetSecret() method for the client_secret in my jmx test script and then added as a parameter KV reference to my secret.

However, I now need to use certificate-based authentication and have not found a way to do it without the secret. Is there any way to authenticate using a certificate instead of a secret? Any help or guidance would be greatly appreciated.

Sina Salam 11,991 Reputation points

2024-05-29T16:22:07.9933333+00:00
Hello Oz Mizrahi,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are moving from using secret-based authentication to certificate-based authentication to get an Azure Active Directory (AAD) bearer token for their load testing script. You need a way to authenticate with a certificate because all the information you have found so far only explains how to use secrets, and they haven't figured out how to do it with a certificate instead.

Solution

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. Yes, Azure Load Testing does support certificate-based authentication. You can use your certificate stored in Azure Key Vault along with your load tests.

You can actually do this by using:

Implementing within a JMX script and including handling JWT assertions and integrating with existing scripts.

Using Azure Key Vault and referencing the certificate in the load test configuration but did not delve into specific implementation details.

While the step by steps might be too much on this page, I will provide high-level guidance. You should let me know your preferred options or use the reference links provided.

Option 1:

To transition from secret-based authentication to certificate-based authentication for obtaining an Azure Active Directory (AAD) bearer token in your load testing script, follow these steps:

Use tools like OpenSSL or PowerShell to generate/create a certificate.

Upload the Certificate to Azure AD.

Modify Your JMX Script for Certificate-Based Authentication.

Ensure that the JWT assertion generation and token request are integrated into your JMX script. This might involve scripting within JMeter to call the Java class or method that performs these tasks.

Update JMX Test Script to Use the Token.

Option 2:

You can use your certificate stored in Azure Key Vault along with your load tests. The general flow for authenticating with client certificates is here below:

Securely store the client certificate in Azure Key Vault.

Reference the certificate in the load test configuration.

Azure Load Testing transparently passes the certificate to all application requests in JMeter.

This way, you can authenticate to application endpoints which require a client certificate for authentication.

References

For details step by steps and more reading, kindly use the below links and also, check the additional resources provided by the right side of this page.

Load test authenticated endpoints: https://learn.microsoft.com/en-us/azure/load-testing/how-to-test-secured-endpoints

Azure Load Testing: https://learn.microsoft.com/en-us/azure/load-testing/how-to-create-manage-test

Azure Load Testing supports authenticating with client: https://azure.microsoft.com/en-us/updates/public-preview-azure-load-testing-supports-authenticating-with-client-certificates/

Best Regards,

Sina Salam
Oz Mizrahi 0 Reputation points Microsoft Intern

2024-06-02T08:16:19.2766667+00:00

Hello!

Thank you very much for your response.

I am trying to work on the second scenario (Azure Key Vault reference), but I have not had any success. I keep getting 401 - Unauthorized error code.

In my HTTP post's request, I need to pass in the header this parameter:
Authorization: Bearer XXX
to make the authenticate.

What should I do istead?
Sina Salam 11,991 Reputation points

2024-06-02T16:12:09.6533333+00:00
Hi Oz Mizrahi,

Thank you for your feedback and sorry for the error.

Kindly let me know what you've done and at what stage the error comes up.

However, in case you miss this part of configurations on adding HTTP Header Manager.

Add HTTP Header Manager:

In your JMeter Test Plan, right-click on the HTTP Request sampler.

Select "Add" > "Config Element" > "HTTP Header Manager".

Configure the Authorization Header:

Click "Add".

In the "Name" field, enter Authorization.

In the "Value" field, enter Bearer YOUR_ACCESS_TOKEN.
Authorization: Bearer YOUR_ACCESS_TOKEN

Ensuring Certificate is Used in JMeter

Add the Certificate to JMeter:

In the JMeter properties or directly in the test plan, ensure that the client certificate is referenced. This can often be done by adding a keystore configuration in JMeter's system properties.

Reference Certificate in JMeter:

Set the JMeter property for the keystore: -Djavax.net.ssl.keyStore=path_to_your_keystore.jks -Djavax.net.ssl.keyStorePassword=your_keystore_password -Djavax.net.ssl.keyStoreType=JKS

You may need to add these properties in the JMeter startup script or the user.properties file in the JMeter bin directory.

By observing necessary configuration and above settings is completed. You should be able to resolve the 401 Unauthorized error and successfully authenticate your requests using both a client certificate and a Bearer token in Azure Load Testing.

Success,

Sina
Elena Colominschi 0 Reputation points Microsoft Employee

2024-06-06T09:01:03.4866667+00:00

Hello @Sina Salam and @Oz Mizrahi ,

I am working on the same issue and I am trying the first option. Also, it is a little unclear for me how to modify the jMeter script to call some java methods in order to generate the bearer token. @Sina Salam could you please help me with more information regarding this?

Thanks a lot,

Elena
Sina Salam 11,991 Reputation points

2024-06-07T22:24:11.41+00:00
Hi Elena Colominschi,

Thank you for your feedback.

The high-level steps provided in option 1 is clear enough if you are really working on similar project.

However, how to modify the jMeter script to call some java methods in order to generate the bearer token. With respect to generating the bearer token and using it within the JMeter test put into consideration the followings:

Ensure you import all necessary libraries for token generation.

Implement generateBearerToken Method, this method should include the logic to generate the JWT assertion, request the token, and return it.

Use the Bearer Token in HTTP Requests, once the token is generated, you need to set it as a JMeter variable so it can be used in subsequent HTTP requests.

Add the JARs and Classes to JMeter, to ensure the required JAR files and the compiled Java class are available in the JMeter classpath.

NOTE: I was unable to add code snippets at this time, because it was too long, I could not add it. I think it would have been good as another question.

Regards,

Sina
Oz Mizrahi 0 Reputation points Microsoft Intern

2024-06-09T07:45:19.56+00:00
Hi @Sina Salam ,

regard your instructions,

Regarding your instructions to configure the Authorization Header:

Authorization: Bearer YOUR_ACCESS_TOKEN

I am encountering an issue. You suggested writing "Bearer YOUR_ACCESS_TOKEN" in the Authorization Header; however, at this point, I do not yet have the token.

Could you please provide guidance on how to proceed?

Thanks,

Oz
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sina Salam 11,991 Reputation points

2024-06-09T19:02:48.59+00:00
Hi Oz Mizrahi,

Thank you for your feedback and response too.

Regarding your question for more clarity

Regarding your instructions to configure the Authorization Header: HTMLCopy

` Authorization: Bearer YOUR_ACCESS_TOKEN `

I am encountering an issue. You suggested writing "Bearer YOUR_ACCESS_TOKEN" in the Authorization Header; however, at this point, I do not yet have the token. Could you please provide guidance on how to proceed?

I would like to ask which service you are trying to access to receive an access token. This could be through a login form, OAuth2 flow, or API request, depending on the service. So, you will need to obtain the Access Token.

For example, in my case using OAuth2, I often need to send a request to the authorization server with the client credentials to receive the token.

Suppose you are using OAuth2 to get an access token. You might need to send a POST request to the token endpoint with the necessary credentials. This is an example using cURL:

curl -X POST 'https://authorization-server.com/oauth/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials' \ -d 'client_id=YOUR_CLIENT_ID' \ -d 'client_secret=YOUR_CLIENT_SECRET'

Then, the response will include the access token:

{ "access_token": "YOUR_ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600 }

So, after you got the token, you can configure the Authorization Header using JavaScript (fetch API) like this:

const token = 'YOUR_ACCESS_TOKEN'; // replace with the actual token fetch('https://api.yourservice.com/data', { method: 'GET', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' } }) .then(response => response.json()) .then(data => console.log(data)) .catch(error => console.error('Error:', error));

I am 100% sure with this above instruction you will be able to configure the Authorization Header with a token.

Success,

Sina

1 answer

Oz Mizrahi 0 Reputation points Microsoft Intern

2024-06-10T04:30:38.3133333+00:00
Hi @Sina Salam

To receive an access token, I am using the OAuth2 flow. I'll try to be more clear about the process I've implemented so far.

Until now, my flow has been as follows:

I had a user-defined variable for retrieving the client secret, which I referenced in the Load Test environment:

${__GetSecret(client_secret)}

I used this variable in my POST request:

curl -X POST 'https://login.microsoftonline.com/${__P(tenant_id)}/oauth2/token' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=${__P(client_id)}&client_secret=${client_secret}&resource=https://api.kusto.windows.net'

Next, I added two processors (JSON Extractor and JSR223) to retrieve the token from the response:

props.put("access_token", "${token}")

I was then able to use the access_token in my desired requests that required a Bearer token, with this header:

Bearer ${__property(access_token)}

In the new flow, I need to use a certificate that stored in Azure Key Vault instead of the client secret that I used so far.

Best regards,

Oz
Please sign in to rate this answer.
Sina Salam 11,991 Reputation points

2024-06-10T04:57:58.2166667+00:00

Hello

Thank you for your feedback. I have the below sample code that was tested by the last response, try to implement I strongly believe it will work.

Regarding your explanation that you are using OAuth2 to get an access token. You will need to send a POST request to the token endpoint with the necessary credentials. This is an example using cURL:

curl -X POST 'https://authorization-server.com/oauth/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials' \ -d 'client_id=YOUR_CLIENT_ID' \ -d 'client_secret=YOUR_CLIENT_SECRET'

Then, the response will include the access token:

{ "access_token": "YOUR_ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600 }

So, after you got the token, you can configure the Authorization Header using JavaScript (fetch API) like this:

const token = 'YOUR_ACCESS_TOKEN'; // replace with the actual token fetch('https://api.yourservice.com/data', { method: 'GET', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' } }) .then(response => response.json()) .then(data => console.log(data)) .catch(error => console.error('Error:', error));

I am 100% sure with this above instruction, you will be able to configure the Authorization Header with a token.

Success,

Sina

Oz Mizrahi 0 Reputation points Microsoft Intern

2024-06-18T07:10:59.0866667+00:00

Hi again @Sina Salam ,

I am not really sure if my last message was clear enough, so I rewrited it. What you sampled above is what I did until now with the client secret. The problem is that now I cannot use the client secret, so my OAuth2 post request should be different and use a certificate instead.

Sina Salam 11,991 Reputation points

2024-06-18T11:58:14.4633333+00:00

Hi

The thread is long overdue to close. However, to use a certificate for authentication instead of a client secret in your OAuth2 flow, you typically use the client assertion (JWT) method.

Srikant G 0 Reputation points Microsoft Employee

2024-07-26T10:07:46.2766667+00:00

You did not answer the question at all. The question is - after adding a certificate in the load test in azure portal in Certificates section, how do we reference the certificate inside JMeter. We want to use the certificate contents in a JAR to create a confidential client application.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

[Azure Load Testing] - Authenticating - Auth with certificate

Solution

References

1 answer

Your answer