abstracta / jmeter-java-dsl

Simple JMeter performance tests API
https://abstracta.github.io/jmeter-java-dsl/
Apache License 2.0
477 stars 59 forks source link

Request for Bearer Token support in httpAuth() #175

Open Thunderforge opened 1 year ago

Thunderforge commented 1 year ago

Per the user guide:

Currently httpAuth() only provides basicAuth method. If you need other scenarios, please let us know by creating an issue in the repository.

The scenario I need is Bearer Token, so I'm posting an issue in the repository to let you know I need it 😀

rabelenda commented 1 year ago

Great! thank you for asking for this! :)

Since this is not something the JMeter Auth Manager already supports (I guess due to httpClient library api limitations), which got my attention the first time I tried this, we would need to implement some custom solution if we want to simplify this over what JMeter already provides.

The usual way to solve this in JMeter is adding http headers manually, which you can do with DSL with httpHeaders element or header method in httSampler.

I will open for discussion how can we further simplify this, so anyone can take part of the decision.

Some options

httpAuth.bearerAuth

I think bearer token, taking into consideration already supported basic auth, could be expressed with something like this:

httpAuth()
  .bearerAuth("https://myservice.com", "myToken")

Implementation options

hidden HTTP Header Manager

DSL adds a HTTP header manager setting the token

JSR223 pre & post processor

DSL adds JSR223 pre processor which checks sampler URL and adds header manager (or modifies existing one) to sampler on the fly.

Extend JMeter & httpClient Authentication

httpHeaders & httpSampler new method

Just add an auxiliary method to existing httpHeaders & sampler which allows to easily set auth token. Eg:

httpHeaders()
  .bearerAuth("myToken")

Not implement new logic

Just keep with existing JMeter option of using httpHeaders.header("Authorization", "Bearer TOKEN")

Anyone has any thoughts? Any other ideas? Comments? Pros & Cons?

Thunderforge commented 1 year ago

My personal preferred solution would be some sort of .bearerAuth() method that works like the existing basicAuth() method. I'm not understanding the distinction between:

httpAuth()
  .bearerAuth("https://myservice.com", "myToken")

and

httpHeaders()
  .bearerAuth("myToken")

Is it just a matter of scope limitation where in the former the token is limited to https://myservice.com? If so, that looks like enhanced functionality beyond what basicAuth() currently does.

rabelenda commented 1 year ago

Hello, thank you for taking the time to review the ideas and give some feedback.

Yes, the difference between the first one and the second one, is that the first one should apply only to urls that start with given URL. Why do you say it looks like enhanced functionality beyond what basicAuth() currently does? basicAuth() requires you too to set a URL which in fact is used to control when should it add the basic header (according to request URL), and when it shouldn't.

If we think the first one should be preferred, so far I think the best approach, considering pros/cons is adding jsr223Pre & post processors with a note on the DSL method stating that downloadEmbeddedResources() should be avoided when using httpAuth().bearerAuth().

Any thoughts @kirillyu , @andy-tarr , or anyone else?

kirillyu commented 1 year ago

I tend to agree with you on this.

Thunderforge commented 1 year ago

Why do you say it looks like enhanced functionality beyond what basicAuth() currently does?

I think that I was mixing basicAuth() up with httpHeaders() (the way I have been doing it bearer tokens), which does not require a URL. Consistency with the other authentication methods is fine with me.