How to test client web api on postman - web-services

I'm working on BP monitor app and trying to test web APIs according to the documentation with the OAuth 2.0 type authorization. But I'm facing some problems to get validate GET or POST response.
Could you please help me how I can get the response of GET and POST web APIs.

1) In the postman app, you first enter your API endpoint into the URL field.
2) Just to the left of the URL input, there is a dropdown to select whether you'd like to send your request as GET or POST.
3) To the right of the URL input, you can define any extra parameters needed.
These parameters are where you can define specific details needed for your test-case.
Postman also allows you to easily generate OAuth tokens for testing (support for OAuth 1.0a and OAuth2).

Related

Need Help to do Login authentication oauth2.0 while load testing

I have a BlazeMeter Pro account and I am stuck on the step I try to record in Jmeter and also try with BlazeMeter recording but not able to do it.
Now flow is I have to login into the system and perform the operation, we implement oAuh2.0 from the development side to authenticate the user from the Gmail and we face issue while record script that user is not able to authenticate to login when you hit with single or multiple users.
to authenticate I need all the below parameters and I have all details but now in Jmeter or BlazeMeter, I do not understand where I add all details.
client_id=
client_secret=
refresh_token=
grant_type=refresh_token
we are implementing a following steps at record time
Load a respective URL and open Gmail Login page
After Enter email and password page is redirect and particular website will be display
After enter user name and password on the website UI is display.
Please guide me on how I implement this and process my flow for load testing.
As per Google documentation in OAuth 2.0 for Client-side Web Applications you need to
Send a request to https://accounts.google.com/o/oauth2/v2/auth with:
client_id
redirect_uri
response_type
scope
parameters.
This request you should be able to record using your favourite recording option.
In your case you need to change this redirect_uri to some web server which you control as you will receive the token there in form of https://your_redirect_url_here/callback#access_token=your_token_will_be_here&token_type=Bearer&expires_in=3600
It's a good idea to use HTTP Mirror Server for this purpose.
Once you get the token you will be able to add HTTP Header Manager and configure it to send Authorization header with the value of Bearer ${your_token}
More information:
OAuth 2.0 Documentation
OAuth 2.0 Playground (if your application uses different flow you can replicate it there and see relevant requests/responses which can be later on implemented in JMeter)

Authentication Failed when i test my Rest API in JMeter

I have been asked to test my Rest API in JMeter and configured my service details in HTTP Request tab in JMeter and unfortunately i am seeing Authentication failed error even though it displays correct information in Request tab.
Here is my Header Manager section as below...
This is my request and using POST method for this.
Can you pls help in getting this fixed...
you have to implement correct correlation.
Authentication must be executed every time.
The authorization token is a random value that you get from previous authentication.
You have to extract it (maybe with a regular expression) and use it in the HTTP operation.
The recommended way of testing resources protected by Basic HTTP Authentication is using HTTP Authorization Manager.
Add HTTP Authorization Manager to your test plan
Provide Base URL and credentials (plain text)
That's it, you don't need to add Authorization header manually, JMeter will automatically generate it, check out How to Use HTTP Basic Authentication in JMeter article for more details if required.

Bypass OAuth validation when the request is a query

I have a web service which is validated by OAuth (Authorization code).
I am using Oracle IDM stack (OAM /Oath service , OES etc).
The issue is - I want to have OAUth validation only when a webService API is processed at the backend, but not when a client is just browsing a WSDL or XSD.
In my current implementation, I am using filter in the web.xml and I have added web service name ( which is web service Servlet) URL in the filters. The url to browse the service and execute the service, will have same name except the ?WSDL at the end of the URL, in case of WSDL/XSD query.
So, the problem is when I query WSDL, then also it goes goes via OAuth validation, which I don't want!
I tried to add logic to determine if the http query string is ?WSDL then by pass OAUTH validation, but it does not work because clients like SOAP UI and others can actually use ?WSDL in the URL, to even execute the web service API, which sort of fails the whole validation purpose.
Has anyone come across similar issue? how to resolve this issue ?

How to Pass Username and Password using POSTMAN - Rest Client?

I am a new bee in using POSTMAN - Rest Client - Chrome API
I want to use the Basic Auth which is available in POSTMAN.
I am trying to login into my Google account at url - "https://www.gmail.com".
I provided my Username & Password in the Basic Auth and I had tried GET and POST.
I got a Status 200 OK which loads me the home page but it is not logged in.
I know that i need to change the url, but i am not able to find the correct one which to use?
It would be helpful if #examples are provided for the Different Types of Auth Provided as well.
The link you have provided is deprecated. I don't know if the Gmail API allowed Basic Auth at the time you asked the question, but right now it needs OAuth 2.0, as indicated in the opening lines here.
The correct url is https://accounts.google.com/o/oauth2/auth, and this link explains how to supply the parameters.
If I remember correctly, Google stopped allowing http clients(like Postman) accessing its APIs through Basic Auth one year back or more. Now, Google allowing its APIs to be accessed using OAuth 2.0.
For accessing Google APIs, you need to setup an OAuth Application, here
When you create this OAuth Application, Google will generate ClientId and ClientSecret.
With these clientId and clientSecret, you need to generate Access and Refresh Tokens and eventually, you will use these tokens to access Google APIs.
Read more about Google OAuth 2.0 and you will get more information about accessing APIs.

Oauth2 code from mobile app

I'm writing an Android app which will authenticate itself using OAuth2 to a Web server under my control.
I'm using Apache Amber on the client side, and oauth2app with Django on the server side.
From the client, I can generate an authorization request, and start a browser Activity that goes to a page asking whether to allow the client access, and after answering in the affirmative, redirects to a page with a "code" parameter.
But how do I get the "code" back to my client, in order to make the subsequent access_token request?
Do I need to bypass the browser entirely? How would that work?
I believe you have a couple of choices here.
The redirect_uri parameter will indicate to the server where it should send the code.
From the ouath2app docs:
If a request is authorized, Authorizer:grant_response() will serialize an object into a JSON response will return a redirect response to the client’s redirect_uri with information on the authorization code passed as query string parameters (response_type CODE) or access token passed as URI fragments.
So armed with that:
If that value is a location on your server, then your mobile browser is going to get the value as part of the redirect. Specifically, you're trying to read the URI fragments in the redirect. I believe this is the intended usage for an application like yours. This blog post seems to have code that might be relevant, under the section "Retrieving the access token".
Alternatively, as you pointed out, you could send the token to a different handler on your server, and then pass it back to your client. It must the callback URL defined in the service.
I found a different blog post, specific to OAuth 2:
http://blog.doityourselfandroid.com/2011/08/06/oauth-2-0-flow-android/
The trick is to fire up a new Activity whose content is provided by a WebView (rather than a layout). You can attach a handler to the WebView that's called on the redirect to the page containing the "code" parameter.
Some of the specifics in the blog post concern Google APIs, but so far my experiments suggest that it will work in my situation.