Authorisation code Flow with PKCE using Jmeter

Question

I am using jmeter for load testing and website for login is using Authorisation Code Flow with PKCE. I am getting 500 response in my signin-oidc sampler result of Jmeter Script. All other endpoints are getting 200 response.

In my Jmeter Script, I am generating code verifier and code challenge when the user clicks on login "/login" and passing on the code challenge in the request parameters of "/connect/authorize". I get the code in the response of "Account/Login?ReturnUrl.................." where I have passed username and password in request parameter. Then in "/connect/authorize/callback" as well I am passing the same codeChallenge and extracting the value of code and then passing this code value to the "/signin-oidc" alongwith the code verifier generated in "/login". All the endpoint passes except "/signin-oidc". What mistake am I making?

Answer 1

Maybe there a problem with your logic which is "generating code verifier and code challenge"

Make sure that it matches i.e. the one listed under Call Your API Using the Authorization Code Flow with PKCE page

The equivalent JMeter code you can use in JSR223 PreProcessor would be something like:

1. For code verifier

   import java.security.SecureRandom;
   
   SecureRandom sr = new SecureRandom();
   byte[] code = new byte[32];
   sr.nextBytes(code);
   String verifier = Base64.getUrlEncoder().withoutPadding().encodeToString(code);
   
   log.info('code_verifier: ' + verifier)
   
   vars.put('verifier', verifier)
   

2. For code challenge

   import java.security.MessageDigest
   import org.apache.commons.codec.binary.Base64
   
   byte[] bytes = vars.get('verifier').getBytes("US-ASCII");
   MessageDigest md = MessageDigest.getInstance("SHA-256");
   md.update(bytes, 0, bytes.length);
   byte[] digest = md.digest();
   String challenge = Base64.encodeBase64URLSafeString(digest);
   
   log.info('code_challenge: ' + challenge)
   

More information:

• Encryption and decryption with Groovy
• Apache Groovy: What Is Groovy Used For?