Redirect to authorization-code/callback fails with 404 when using Jmeter

We are using the ASP.NET Middle-ware successfully to authenticate for our web app.

I am now trying to create a performance test in JMETER.

After a successful authentication okta redirects to authorization-code/callback but rather than the middle-ware intercepting the call as expected, it is passing through the pipeline and the web server is responding with a 404.

I’ve compared the jmeter headers and cookies with the values in the firefox developer console and everything seems on par. Dynamic values are being set correctly as best as I can tell. The post has the state and code values grabbed from the hidden fields on the redirect page.

What else is required for the middle-ware to intercept messages to authorization-code/callback?

Thank you,

I finally tracked down the issue. I had seen jmeter examples where the jmeter script generated the state key. So I had done the same. But in those examples the jmeter script was in a 1 to 1 conversation with the okta server to test api calls. In my scenario the jmeter script is sitting between the okta middleware and the okta server. So I need to capture the state value generated by the middle ware. A reply from the server with a different state key will be ignored. It would be nice if the middleware generated a security exception so the event could be detected and logged. Both to help internal developers with automation as well as so admins can detect external man in the middle attempts.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.