We are using the ASP.NET Middle-ware successfully to authenticate for our web app.
I am now trying to create a performance test in JMETER.
After a successful authentication okta redirects to authorization-code/callback but rather than the middle-ware intercepting the call as expected, it is passing through the pipeline and the web server is responding with a 404.
I’ve compared the jmeter headers and cookies with the values in the firefox developer console and everything seems on par. Dynamic values are being set correctly as best as I can tell. The post has the state and code values grabbed from the hidden fields on the redirect page.
What else is required for the middle-ware to intercept messages to authorization-code/callback?
I finally tracked down the issue. I had seen jmeter examples where the jmeter script generated the state key. So I had done the same. But in those examples the jmeter script was in a 1 to 1 conversation with the okta server to test api calls. In my scenario the jmeter script is sitting between the okta middleware and the okta server. So I need to capture the state value generated by the middle ware. A reply from the server with a different state key will be ignored. It would be nice if the middleware generated a security exception so the event could be detected and logged. Both to help internal developers with automation as well as so admins can detect external man in the middle attempts.