4

This curls works fine

curl acme:acmesecret@localhost:9999/uaa/oauth/token  -d "password=password&username=user&grant_type=password" -H "Accept: application/json"

In this curl, acme and acmesecret are client credentials used by application to authenticate with authorization server running in localhost:9999

I am trying to make the same request using postman (rest client for chrome).

Here is the screen shot (I entered credentials in Basic Auth tab)

enter image description here

Here is the preview of the request that is sent out: (NOTE: AUthorization basic header is added)

enter image description here

I am getting error as "invalid_client". how to fix this?

Thanks

brain storm
  • 30,124
  • 69
  • 225
  • 393
  • In your curl request, you have the _user's_ credentials in the form data (which is correct), but in the Postman request, you are putting the client's credentials. Did you accidentally switch the credentials? Client credentials should go in auth header, while user credentials go in the form data – Paul Samsotha Aug 28 '15 at 17:51
  • its otherway, user credentials should go as basic digest header. you can see that in preview image above. The client id and secret is sent as `acme:acmesecret@localhost:...`. I am wondering how to send this in postman. – brain storm Aug 28 '15 at 18:01
  • if acme is the client_id and acmesecret is the client_secret, and you are making an oauth 2.0 password grant request, then the client_id:client_credentials go in the auth header. Your curl request is sending them in the auth header. Add the `-i` switch to see the header. Then make the change in Postman, you should see the same base64 in the auth header. – Paul Samsotha Aug 28 '15 at 18:04
  • the `-d` is the form data. And in an oauth 2.0 password grant request, the user credentials _should_ go in the form data as the curl request shows – Paul Samsotha Aug 28 '15 at 18:06
  • thanks. that helped. I followed what you suggested and it is working now. – brain storm Aug 28 '15 at 18:08

2 Answers2

3

cURL

acme:acmesecret@localhost:9999/uaa/oauth/token

The acme:acmesecret is the HTTP client credentials sent in the basic auth header. You can add the -v switch to see the headers in the request.

-d "password=password&username=user&grant_type=password"

This is the form data.

In the Postman request, you have it switched around. You have the client credentials in the form data, and I'm guessing you have the user credentials in the auth header.

Just switch them. For an OAuth 2.0 password grant request, the client credentials should go in the auth header, while the user credentials go in the form data.

bytehala
  • 665
  • 1
  • 10
  • 25
Paul Samsotha
  • 205,037
  • 37
  • 486
  • 720
  • by adding -i, I did not see the authorization header. I see only this `HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Cache-Control: no-store Pragma: no-cache Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Fri, 28 Aug 2015 18:06:24 GMT` – brain storm Aug 28 '15 at 18:15
  • Yeah I guess it doesn't work like that. I must be mistaken. It is still part of the HTTP credentials though. This is in the spec. It's discouraged to put the credentials in the URL anyway. Instead with curl you use `-u username:password` and it will go in the header. If you want to be even safer and not have the password stored in the shell history, just use `-u username` and it will prompt for the password – Paul Samsotha Aug 28 '15 at 18:18
  • Oh and that is the response. Check the request headers. Maybe it is in there. I don't know. Do you see the request headers or just the response headers? If only request, use the `-v` (verbose) switch. Request start with `>` while response start with `<`. Or maybe the other way around :-) Too lazy to check – Paul Samsotha Aug 28 '15 at 18:23
  • So the header _is_ there when you put the credentials in the url? – Paul Samsotha Aug 28 '15 at 18:26
  • @peeskillet . I am trying to perform basic login operation using API url through Postman "POST https:///TestDataManager/user/login" with basic auth. I am able to login accessing the portal but not through API call. Do I need to have special rights to communicate to server/application through API? The response that i am getting now is 401 error. – mwKART Jan 11 '18 at 11:35
0

I found this piece of information to be quite helpful from the Postman docs incase others needed more clarification.

Postman > Sending API Requests > Authorization

https://learning.getpostman.com/docs/postman/sending_api_requests/authorization/

vsvs
  • 1,975
  • 2
  • 12
  • 14