Capturing Authorization Tokens from Json

For authorization purposes it's possible to capture authorization tokens from a JSON response and then make it available to subsequent requests processed in a session.

  • Global Session Configuration Authorization Header Override
  • Per User Token Capture and Storage for each Request

Bearer tokens are often generated as part of an authentication request. For the purposes of this topic I'll use a request like this with a token named token in the JSON response:

Overriding the Authorization Header on every request

It's possible to use a Session Wide Override for the Authorization header that is applied to every request that has an Authorization header:

You can override this value with:

  • Manually by copying the token and pasting it into the Session Configuration
  • Automatically using WebSurge-Request-CaptureAndSetAuthorizationBearerTokenFromJson

Manually overriding the Authorization Settting

A very simple way that you can set a static Authorization header is to run a request that generates an authorization token. Run the request, and then manually copy the token to the clipboard. Then paste the cookie into the Replace Authorization Session Configuration.

Once set you can now run your requests and requests should succeed as long as the token is valid.

This manual testing works well if you are stress testing purely for load, and don't care about specific individual users. Because it's static it's quick and reliable as you know exactly what's being sent. But it requires manual fixing each time you set up and run your tests

Automatically Capture and Set the Session Bearer Token

Rather than manually capturing the token, you can explicitly capture the token and store it into the Session Configuration by using the following WebSurge custom header:

WebSurge-Request-CaptureAndSetAuthorizationBearerTokenFromJson: token

This captures the token property from a JSON response and writes a Bearer token value into the Override Cookie Value Session configuration automatically.

Because the value has been set on the Session it's now available to all requests and users and is automatically applied to any request that has an Authorization header.

WebSurge-Request-InjectJsonBearerToken is Session Specific

The above is Session Specific meaning it applies to all requests for all Users that are executed. This works if you don't care about separating specific users. If all users can use the same authorization this is the quickest and easiest way to apply authentication across all requests.

User Specific Token Capture and Assignment

If you need more control and per user tokens you can use per user authorization token capture and injection. Rather than storing the captured token in the semi-global Session configuration, the token is stored on the User's Http Context. Each user then gets a unique token that is used for each session that is tied to that user.

To do this:

  • Use WebSurge-Request-CaptureJsonToken to capture a request token
  • Use WebSurge-Request-InjectJsonToken to inject the captured token into target requests

Unlike WebSurge-Request-InjectJsonBearerToken the captured token is stored as an individual value in User Storage, so each user that is configured or automatically generated gets its own unique copy of the the token. This allows you to capture and inject different token for each user simulating unique users.

To create a token use this header on the Authentication request that produces a token. The following assumes it's looking at a JSON property called token:

WebSurge-Request-CaptureJsonToken: token

To use the token you apply it on a request that requires the bearer token for authentication. Typically these will be update requests but may be any and all requests in an application.

To apply it to a request you'd use:

WebSurge-Request-InjectJsonToken: token

This injects the captured token named token into the Authorization header as Authorization: Bearer <token>

Make sure that you don't have the Replace Cookie Value setting in the Session configuration set to a fixed token value as this will always override override an explicit, or injected authorization header.


© West Wind Technologies, 2014-2022 • Updated: 12/25/21
Comment or report problem with topic