How to do load testing for JWT Secured Rest API

Question

I am developing a REST API (HTTPS) with Spring and now need to load test to 1000 concurrent users.The problem is I used siege to load test but it cannot test over the jwt token header.Which is the best way to perform load test in my scenario?

Answer 1

You can use Jmeter for testing JWT Secured Rest API.

You can include jwt token in "HTTP Header Manager" along with the request.

Refer:http://jmeter.apache.org/usermanual/build-adv-web-test-plan.html#header_manager

Answer 2

I would suggest the following config:

1. Put jjwt jar along with dependencies (jackson-databind) under JMeter Classpath (just drop the jars in "lib" folder of your JMeter installation and restart JMeter to pick them up)

2. Add HTTP Request sampler and configure it to send your API request.

3. Add HTTP Header Manager as a child of the HTTP Request sampler.

4. Add JSR223 PreProcessor as a child of the HTTP Request sampler.

5. Put the following code into JSR223 PreProcessor "Script" area:

   import io.jsonwebtoken.Jwts
   import io.jsonwebtoken.SignatureAlgorithm
   import io.jsonwebtoken.impl.crypto.MacProvider
   import org.apache.jmeter.protocol.http.control.Header
   import java.security.Key
   
   
   def key = MacProvider.generateKey();
   
   def compactJws = Jwts.builder()
       .setSubject('Joe')
       .signWith(SignatureAlgorithm.HS512, key)
       .compact()
   
   sampler.getHeaderManager().add(new Header('Authorization', 'Bearer ' + compactJws)) 
   

The above code will generate a JSON Web Token that will have the registered claim sub (subject) set to Joe and adding the Authorization header with the value of Bearer %generated token string% to the HTTP Request.

You will need to amend the code according to your needs, but the concept should be the same. Reach out to your application developers for assistance if required.

References:

• Java JWT: JSON Web Token for Java and Android
• Groovy is the New Black

Answer 3

I would suggest Gopayloader. It's an HTTP load tester written in Go and can achieve around 50k RPS with JWTS.

It generates custom JWTs by providing it a private key to sign the JWT i.e.

./gopayloader run http://localhost:8081 -c 150 -r 1000000 --jwt-header "my-jwt" --jwt-key ./private-key.pem --jwt-kid 3434645743124 --jwt-sub "my-subject" --jwt-aud "some-audience" --jwt-iss "some-issuer"

Would generate a JWT body like:

{
  "aud": "some-audience",
  "exp": 1714130039,
  "iss": "some-issuer",
  "jti": "05181473-bbd6-4d21-8942-d86c2e972b2b",
  "sub": "my-subject"
}

With header:

{
  "alg": "ES256",
  "kid": "3434645743124",
  "typ": "JWT"
}

It pre-generates the JWTs and saves them to disk before running the test to keep a low in-memory footprint and to achieve a high RPS as CPU cycles are dedicated to sending requests and not generating JWTS. Each JWT is unique as has it's own jti i.e.

"jti" : "8f2d1472-084c-4662-ae74-04e0f1de4993"

This can be useful as some JWT authenticated services will not allow the reuse of the same JWT as it should only be used once to prevent replay attacks, see: https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7.