Social Network Authentication Load Testing with JMeter
Authentication via social networks is often used in web applications. In this form of authentication, users of a web application login to a known social network they’re already a member of, instead of creating an account for that web application. That social network is then used for authentication and authorization. In fact, the authentication against social networks is a form of single sign on (SSO) and social networks are kind of identity providers for that web-application.
Authentication via social networks has a few benefits for users. One of these benefits is that users don’t need to remember the password for the web application - it’s enough to remember it for a social network. Some web applications don’t even require users to register and to fill out a registration form, because the login via social networks may provide all the required registration information. This information, such as email addresses, is often pre-validated by the social service itself, which is another advantage of this kind of authentication.
Surveys show that if a web application has the possibility to authenticate via social network, more than three quarters of its users prefer that way. Moreover, there are web applications that provide registration and authentication only via social networks.
Social Network Authentication Load Testing Challenges
But this end user login and registration convenience might become a hurdle when creating load testing scenarios and developing load testing scripts. Imagine that you need to imitate operations of 1000 virtual users, authenticated via Facebook, in a load testing script. To create such a large number of fake Facebook accounts is barely possible. If someone does manage to create this number of Facebook accounts for the purpose of load testing, executing them in a load test won’t be possible, as social networks prevent DDoS attacks and these accounts will simply be blocked.
This blog post will show how to overcome this problem and run your performance test in Apache JMeter™.
Creating Your JMeter Script for Social Network Load Testing Authentication
The JMeter script use case for social network authentication may include login, registration or authorized access to some resources. In this article we are going to analyze a few approaches to get through this difficulty.
Registering in Developer Mode: Option 1
The first approach is straightforward. Many social services have a developer mode (see table at the end), which helps developers design and debug applications. For example, with Facebook’s developer mode you can register an application that is under development and create a group of test users with fake emails, and other attributes for this application.
These test user accounts can’t be accessed from Facebook’s real mode and they are not monitored by Facebook’s spam and fake account detection system. So, one can test web applications with these fake accounts, without worrying about getting disabled.
The documentation on managing test applications and test users can be found on the facebook application development site. Accounts can be created manually or automatically, with the help of the Graph API, which Facebook provides, if a number of them have to be created. The developer panel’s GUI is shown in the screenshot below.
Using Graph API in JMeter
If you want your JMeter script to imitate Facebook registration, creating and deleting an account using Graph API can be conducted with the the SetUp and TearDown thread groups. A JMeter script that creates fake user accounts and then removes them is shown in the screenshot below. You can also find the jmx script here.
In this script, fake user accounts are created in the setUp thread group, via the Facebook graph API. Under the ‘Once Only Controller’, the application access token is received, with a corresponding HTTP request.
The CSV file that contains the fake accounts is created in a JSR223 sampler. Then, fake accounts are generated under the Loop Controller.
You can also upload your script to BlazeMeter and ramp up users from there.
The response for the /test_users POST Graph API request contains the created user id, name, email and password. This data is in the JSON format, so the JSON post processor extracts them and JSR223 postprocessors records them into the csv file.
The created csv file is used in the script thread group. In the tearDown thread group, these accounts are removed together with the CSV file.
This approach is simple, but there are limitations from the social web services side. For example, Facebook limits the number of user accounts to test to 2000, and limits the rate of the graph API to one test application. So, before implementing this strategy, it’s better to consult with the Facebook policy on using test accounts.
Creating a Mock Application: Option 2
Unfortunately, not all social web services provide the ability to create test accounts in developer mode. For example, this approach is not possible in Twitter. In this case it’s possible to create a mock or use an application that imitates interaction with the social network over a protocol that is used in the authentication and authorization.
As we have already mentioned, the authentication in social network is a form of SSO. SSO is based on SAML, OpenID, OAuth. The testing of SAML secured web applications was covered in the how to test SAML SSO secured web sites article. The testing of the OpenID secured web applications was covered in how to test OpenID secured websites article. The article dedicated to load testing of OAuth secured application can be found on the BlazeMeter blog too.
Real social network services can be replaced in this case with the fake OAuth service, which can be configured to process authentication requests, according to this guide. The configuration of service includes usernames, emails, passwords, other user data and user tokens. The JMeter data set will include usernames / emails and passwords for the fake OAuth service.
Creating an OAuth Stub: Option 3
Finally, if we need to implement authorization and the service has multiple endpoints, the only way to conduct load testing is to create a stub that would emulate the OAuth server. Of course, the application version, that is deployed for tests has to form requests to this stub rather than to the real social network service. This option is a rather expensive way to set up the load testing environment. It makes sense only if other approaches have failed and we need to imitate the interaction of the application client with the tested system more accurately.
Social Network Authorization Load Testing Comparison
The table below contains consolidated information about social network services and availability of developer mode in them, a possibility to create test users and the authentication protocols used. Find the social network you’re testing, understand its characteristics and decide on the best testing option for you, accordingly.
|Social Network||Developer Mode Link||Creating Users||Protocol|
|Facebook Developer Mode||+||OAuth 2.0|
|VK||VK Developer Mode||-||OAuth 2.0|
|Twitter Developer Mode||-||OAuth 1.0|
|Google+||Google+ Developer Mode||+||OAuth 2.0|
|LinkedIn Developer Mode||-||OAuth 2.0|
|Spotify||Spotify Developer Mode||-||OAuth 2.0|
|LiveJournal||LiveJournal Developer Mode||-||OpenID|
Running Your JMeter Test in BlazeMeter
After creating your JMeter script, upload it to BlazeMeter. Then, you will be able to massively scale your users. BlazeMeter also enables you to collaborate on tests and reports, drill-down into detailed reporting and compare test results over time. Try out BlazeMeter by putting your URL in the box below, or request a live demo from one of our performance engineers.