Unable to get the Bearer Token - Web Test, Performance Testing

Question

I'm creating a Web Test in Visual Studio 2017 for Performance Testing. Our web application is an Azure with an AAD authentication frontend. It is the authenticating as a test user that is failing. While recording with VS or fiddler, I'm failing to playback the test again. I believe it is a token issue.

I'm able to see the Authentication Bearer Token in Location parameter of Response Header in the Browser. Example-

Request URL: https://login.microsoftonline.com/login.srf

Response Header:

Location: https://domain.fake.URL/login#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCJ9.eyJhdWQiOiIxZDYwOGIxOC04YjI2LTQ0MDktODg3ZC1mZmIzY2MxYzEwNDQiLC.....

However, I'm unable to get the Bearer Token in Visual Studio. I checked Visual Studio is making the same request with same parameter but in the response it's getting the below error not the token.

Location : https://domain.fake.URL/login#error=invalid_grant&error_description=AADSTS50008%3a+SAML+token+is+invalid.%0d%0aTrace+ID%3a+3c5c2728-f013-49e3-a91d-88a683210800%0d%0aCorrelation+ID%3a+f21fda63-6dc7-4b35-9b46-fc354cc4e8ea%0d%0aTimestamp%3a+2019-05-16+06%3a23%3a48Z&state=29ee5c1a-f49a-4358-be60-8f722f1e6e80

Instead of the token.

Is anyone faced similar issue? Thanks, guys.

Answer 1

When you recorded the test, it is likely you went through a federated sign-in process with your organization's on-premises AD FS. (This federated sign-in may have been transparent, as a series of redirects.) As part of this federated sign-in, your organization's AD FS will have issued a SAML token identifying the user to Azure AD. Azure AD will have then verified that SAML token, and since everything checked out, it issued it's own token to the application (the response with #id_token=...).

However, when you attempt to replay those steps later, the original SAML token issued by AD FS (during the original recording) has expired and is no longer valid. So instead of Azure AD redirecting back to your app with the expected ID Token, it redirects back to you app with the error about a bad SAML token.

You should be able to verify this by recording a fresh sequence of the sign-in, and replaying for the test immediately. You'll likely find that the test will pass at first, and then will eventually start failing again once the token expires.

The solution to this depends a lot on your test environment, your Azure AD and AD FS environment, and what specifically you're trying to load test. One option is to use a cloud-only dedicated test user, from a dedicated test tenant in Azure AD (you should not include any credentials for real users from your production environment in your tests). If part of what you're trying to validate includes the federated sign-in, then you should use a test instance of AD FS, and federate your test Azure AD tenant with this test AD FS.