Forum Discussion

richie's avatar
Community Hero
6 years ago

Obtain OAuth JWT Bearer Token Value.....Struggling.....



My latest project have changed the authentication that generates a JWT token, but everyone here is actually grabbing the token manually to do their front end automation and performance testing - which is ridiculous - so I want to automate the process if possible for my api testing.


You'll have to forgive me - I don't know much about JWT authentication - I understand the very basics - but that's about it - so I could do with a little advice in case anyone has done something similar before.


The way they're doing it manually is to launch a webpage (enable Chrome's Developer Tools) input a username and password and once logged in - you can see the initial POST (for the successful login) and then multiple GETs as various resources (.css, .json, .png's etc.) are retrieved.  One of these GET requests (that you can see after the initial POST) includes the token value as the GET's query parameter.


e.g. the relevant GET's format is as follows:<tokenvalue>

I then set the authorization profile to the OAuth 2.0 JWT Bearer (which was a total guess on my part), completed the profile creation, pasted the tokenvalue into the field (screenshot attached) and submitted the request and it worked!


The token last for 8 hours.


So - I can manually grab the token - but this isn't automated.  The whole dev team I work with are very junior - so I can't ask them questions about this (yes I know, it's a ridiculous situation to be in) because they just wont know the answer.  I can see in ReadyAPI! there might be a way to retrieve the token using some OAuth profile - but the developers dont even know what OAuth profile we're using (a totally different external team developed the authentication and I cannot contact them - again - ridiculous).


I was thinking I might not  be able to use the out the box OAuth JWT token retrieval functionality because I dont know what I dont know and I cant ask anyone the questions I need asked.


HOWEVER - I was wondering - considering the token value is actually a query parameter value in one of hte follow up GETs after the initial login post - is there anyway I can could grab the queryparm value from one of the many (about 10 to 15 GETs) that are made?

I've never actually seen a login request in SoapUI emulate logging into a front end resource, so I haven't got an example in my previous experience where multiple GETs were made after an initial POST in my testing.


Can anyone advise?  I know it's crazy to not be able to ask the development team the relevant questions.  They can't even tell me which grant method I should be using or anything at all and they cant tell me all the parameters required to emulate the POST that is the initial login (username/password) request.  I'm having to record a script in JMeter to actually work out what parameters I need to submit to emulate the login POST.


I'd welcome any advice.....I'm trying to read up on OAuth as best I can - so I can work out all the different considerations i need - e.g identifying the right grant method I need to use etc. 


I hope I've been clear - I know sometimes I'm not!


Thanks to all!




7 Replies

    • richie's avatar
      Community Hero

      Cheers nmrao 


      I've found out - they're using OAuth v2.0 with Authorization Code as the grant type - but the solution is a total bodge on that pattern.

      The developer has managed to set it up in postman and just to get the authorization token takes 16 sequential REST requests!

      I'm just gonna grab the postman collection! :)


      nice one!



      • nmrao's avatar
        Champion Level 3
        In that case, solution seems to be different and the link I provided did not help it seems.

        May be you can add your solution instead of my reply.