Creating A Realistic Performance Test Using The Refresh Token Endpoint In Jmeter

20-01-2024 door Roy de Kleijn

When conducting performance testing, it's vital to simulate user behavior as accurately as possible. A typical scenario involves testing a JWT-protected API over an extended period, which presents a challenge when the token has a short expiration time. In this blog post, we'll discuss how to create a realistic test in JMeter for an API that retrieves invoices and is protected by JWT, focusing on the efficient use of the refresh token mechanism.

The Challenge:

We aim to test an API endpoint (/invoices) that requires a valid JWT token. This token is initially obtained via a /users/login endpoint but only remains valid for 300 seconds. We'll use the /users/refresh endpoint to avoid frequent logins to renew the token.

JMeter Setup:

Here are the steps to set up this test in JMeter:

Checking Token Generation Timestamp:
- Use an If Controller with a JEXL3 script ${__jexl3(${tokenGenerationTimestamp} == 0,)} to check if tokenGenerationTimestamp is set. This variable holds the timestamp of the last token generation.
Initial Login and Token Extraction:
- Inside the If Controller body, if tokenGenerationTimestamp is not set, make a POST request to /users/login.
- Extract the token and expires_in values from the login response.
- Set tokenGenerationTimestamp using vars.put("tokenGenerationTimestamp", "${__time(,)}"). This records the time of token acquisition.
Checking Token Expiration:
- Use another If Controller to check if the token is close to expiring with ${__jexl3((${__time(,)} - ${tokenGenerationTimestamp}) > (${EXPIRES_IN} * 900))}. Here, EXPIRES_IN is the duration in seconds, and 900 represents 90% of the expiration time.
Refreshing the Token:
- If the token is almost expired, send a GET request to /users/refresh to obtain a new token.
- Extract the new token and update tokenGenerationTimestamp as before.
Performing the Invoice Retrieval:
- Now, you can make the GET request to /invoices.
- Set the Authorization header to Bearer ${TOKEN} to pass the JWT token.

Refresh Token Test Plan

Expected Test Behavior:

POST /users/login is called only once at the beginning.
GET /invoices is called multiple times, simulating the continuous use of the API over time.
GET /users/refresh is called periodically, just before the token expires, reducing the load on the login endpoint.

Refresh Token Report

Why This Approach?

Using the refresh token endpoint instead of repeatedly hitting /users/login more accurately simulate real user behavior. In real-world scenarios, applications don't login each time they need to access a JWT-protected resource; they refresh the token when needed. This approach also helps identify potential issues with the token refresh mechanism and ensures the stability and performance of the API under prolonged use.

Conclusion:

Implementing this testing strategy in JMeter can create more realistic and efficient performance tests for JWT-protected APIs. It avoids overloading the login endpoint and gives insights into the performance of the token refresh mechanism and the protected API under continuous access.

Delen: