Capturing Authorization Tokens from Json

For authorization purposes it's possible to capture authorization tokens from a JSON response and then make it available to subsequent requests processed in a session.

  • Global Session Configuration Authorization Header Override
  • Per User Token Capture and Storage for each Request
  • Capture and replace Authorization Bearer tokens

Bearer tokens are often generated as part of an authentication request. For the purposes of this topic I'll use a request like this with a token named token in the JSON response:

Overriding the Authorization Header on every request

It's possible to use a Session Wide Override for the Authorization header that is applied to every request that has an Authorization header:

You can override this value with:

  • Manually by copying the token and pasting it into the Session Configuration
  • Automatically using WebSurge-Request-CaptureAndSetAuthorizationBearerTokenFromJson
  • Explicitly using WebSurge-Request-CaptureJsonToken and WebSurge-Request-InjectJsonBearerToken

To make it easier to add these custom headers into your request's headers, you can find them on the context menu of the Request Editor:

Manually overriding the Authorization Settting

A very simple way that you can set a static Authorization header is to run a request that generates an authorization token. Run the request, and then manually copy the token to the clipboard. Then paste the cookie into the Replace Authorization Session Configuration.

Once set you can now run your requests and requests should succeed as long as the token is valid.

This manual testing works well if you are stress testing purely for load, and don't care about specific individual users. Because it's static it's quick and reliable as you know exactly what's being sent. But it requires manual fixing each time you set up and run your tests

Automatically Capture and Set the Session Bearer Token

Rather than manually capturing the token, you can explicitly capture the token and store it into the Session Configuration, which applies the authorization header to any request that has an Authorization header defined.

Important: In order for this to work you have to provide an Authorization: header. It can be empty or contain any content, but the Authorization: bit must be present.

To capture the an Authorization Bearer token, capture it in a request that generates the Bearer token value as JSON. You specify the named key that returns the token (ie. here I use token as the key value):

WebSurge-Request-CaptureAndSetAuthorizationBearerTokenFromJson: token

This captures the token property from the JSON response and writes a Bearer token value into the Replace Authorization Session configuration automatically.

To inject the token in a request:

  • Make sure you have an Authorization: header in the Headers
  • Header value can be empty

When the request is run, the Authorization: header is replaced with the value that is stored in the Session, which looks like this:

Authorization: Bearer x432dsgiadssd2o9st1

The global capture works well for interactive testing, but it's not user specific. If you run a load test that simulates multiple separate users you might need to manually capture the authorization for each user separately.

Manually Capturing a Token and Setting a Bearer Token

If you want more control over the Authorization capture process you can manually capture a token and assign it a bearer token.

To Capture a Token from JSON:

  • Add a header for WebSurge-Request-CaptureJsonToken: token
  • token being the name of the key to capture from JSON
  • This stores the key and value as a CapturedJsonVariable for the user

To Inject a Token into JSON

  • Add a header for WebSurge-Request-InjectJsonToken: token
  • Make sure your JSON includes the JSON key with a string value
  • The string value can contain a value or be empty and it's overwritten with the captured value

WebSurge-Request-InjectJsonBearerToken is Session Specific

The above is Session Specific meaning it applies to all requests for all Users that are executed. This works if you don't care about separating specific users. If all users can use the same authorization this is the quickest and easiest way to apply authentication across all requests.

User Specific Token Capture and Assignment

If you need more control and per user tokens you can use per user authorization token capture and injection. Rather than storing the captured token in the semi-global Session configuration, the token is stored on the User's Http Context. Each user then gets a unique token that is used for each session that is tied to that user.

To do this:

  • Use WebSurge-Request-CaptureJsonToken to capture a request token
  • Use WebSurge-Request-InjectJsonToken to inject the captured token into target requests

Unlike WebSurge-Request-InjectJsonBearerToken the captured token is stored as an individual value in User Storage, so each user that is configured or automatically generated gets its own unique copy of the the token. This allows you to capture and inject different token for each user simulating unique users.

To create a token use this header on the Authentication request that produces a token. The following assumes it's looking at a JSON property called token:

WebSurge-Request-CaptureJsonToken: token

To use the token you apply it on a request that requires the bearer token for authentication. Typically these will be update requests but may be any and all requests in an application.

To apply it to a request you'd use:

WebSurge-Request-InjectJsonToken: token

This injects the captured token named token and replaces any JSON string values with the tokens previously captured value.

Make sure that you don't have the Replace Cookie Value setting in the Session configuration set to a fixed token value as this will always override override an explicit, or injected authorization header.

© West Wind Technologies, 2014-2023 • Updated: 09/05/23
Comment or report problem with topic