Load testing for web app using mod_auth_openidc, SSO in Azure

[fong1999]

Hi!

We use OIDC SSO in Azure. We are looking for a way to load test it. We are trying to mimic the browser network traffic in JMeter and postman. But we have been getting Sign in to your account page returned as a html file in the response body in JMeter and postman, instead of a response header that includes the "code" value that we need to put in a variable in JMeter so that we can pass it to the next subsequent call....

<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">
<head>
    <title>Sign in to your account</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <link rel="preconnect" href="https://aadcdn.msftauth.net" crossorigin>
<meta http-equiv="x-dns-prefetch-control" content="on">
<link rel="dns-prefetch" href="//aadcdn.msftauth.net">
<link rel="dns-prefetch" href="//aadcdn.msauth.net">

Here is the Http GET request for openidc SSO:

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?response_type=code&scope=openid&client_id=<client_id>&state=Z68AKsqsq5PvhhlPBfJGwVkKJyY&redirect_uri=https%3A%2F%2Fi<example..com?%2Fdone&nonce=pyN_BPu-VEGas_-gFqcBnWAwnwN2mjNmYp8hsffvUik

The Path:

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize

Query parameters:

response_type=code
scope=openid
client_id=
state=
redirect_uri=
nonce

I tried to use prompt=login to force to show the login page to enter credentials, but it is not successfully. I tried to use prompt=none, which gives me error:

AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).

Another HTTP GET request:

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize

Name	Value	URL Encode	Content-Type	Include Equals
client_id		false	text/plain	true
scope	openid profile User.Read offline_access	true	text/plain	true
redirect_uri	https://example..com	true	text/plain	true
client-request-id	${client-request-id}	false	text/plain	true
response_mode	fragment	false	text/plain	true
response_type	code	false	text/plain	true
x-client-SKU	msal.js.browser	false	text/plain	true
x-client-VER	2.28.3	false	text/plain	true
client_info	1	false	text/plain	true
code_challenge	cJIwNVIG-CY3-LXgjjZwXKfpwsn99tr1GBifkG	false	text/plain	true
code_challenge_method	S256	false	text/plain	true
nonce	${nonce}	false	text/plain	true
state	${state}	false	text/plain	true
sso_reload	true	false	text/plain	true
login_hint	[email protected]	false	text/plain	true
prompt	none	false	text/plain	true

I am getting "Redirecting..." html in the Response body in JMeter.

<!DOCTYPE html>
<html>
<head>
    <title>Redirecting</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <meta name="PageID" content="DesktopSsoNonInteractive" />
    <meta name="SiteID" content="" />
    <meta name="ReqLC" content="1033" />
    <meta name="LocLC" content="en-US" />

Any suggestion how to achieve this? Please let me know if you need more information.

Thanks so much!

Fong

Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow