How to script Authorization Code Flow + PKCE with LoadRunner DevWeb protocol


Modern authorization systems use Proof Key for Code Exchange (PKCE) flow to make the authorization process more secure. 

PKCE ( adds additional parameters to the OAuth Authorization and Access Token Requests: code verifier and code challenge.

The client application creates a unique string value (a random URL-safe string with a minimum length of 43 characters) - this is the code verifier.  It then hashes and encodes the code verifier as a code challenge (a Base64URL-encoded SHA-256 hash of the code verifier). 

When you record scripts for testing web applications with this authorization flow, the code_challenge and code_verifier values generated by the client during the recording session will appear in the script code as LoadRunner API function arguments.

In many cases, it is possible to reuse those values in replay without modifications. 

However, you can create a more accurate simulation of multiple clients in a load test by generating the values in runtime, in the same way as it is done by the client application code in the browser.

If necessary, other client-generated parameters like nonce and state can also be generated at runtime.

With LoadRunner DevWeb protocol, you can use the sample code below to achieve this.

Figure 1- code.png


How To-Best Practice
Comment List