Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

JMeter: Record n play, also gives API access

I have recorded a login flow of an application and found some URIs like below:

  1. /api/oauth2/initiate GET
  2. /oauth2/authorize GET
  3. /api/v1/oauth2/authorize GET
  4. /api/v1/oauth2/authenticate POST
    • {"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}

When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.

It doesn’t generate a access_token, it works via session cookies.

My question is – Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.

Tags:

2

Answers


  1. 0

    JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
    Now the thing is replicating requests. You don’t need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.

    You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
    For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.

    Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.

    Login or Signup to reply.
  2. 0

    What you’re recorded is OAuth2 flow and you won’t be able to replay it without correlating the dynamic values.

    You can have access to Google API or Facebook Graph API given you have proper access_token but I don’t think you should be testing them directly, you should focus on solely your application.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search