I am trying to understand how all this works and I grow frustrated each day. What I want to do is use postman or JMETER to log in a specific user and get all their scopes, claims so I can test my API with JMeter. This is all confusing to me, because I don’t need to be presented with a login, my jjmeter test won’t be able to use that (or so I think). I guess I need to pass my testers emai/password in an API to get the bearer token so I can pass that in my header in each test.
If you’re using the built-in IdP capabilities of Auth0 (i.e. a database connection) or AD/LDAP then you may be able to use the Resource Owner Password Grant. This allows you to submit a username / password pair in an authorisation request and receive an access token and (optionally) a refresh token in return.
However, if you need to support social IdPs or any other type of connection which doesn’t accept a username / password pair (most social IdPs don’t) you will have to use a different approach - perhaps automating the authorisation using something like Selenium or doing an authorisation manually and obtaining a refresh token which never expires and which can be used directly in your tests (along with a client credential) to get access tokens indefinitely.