3

I have a web app which uses Google OAuth2 for security. There are many API endpoints which I need to test through postman, but they require the user to authenticate using google.

When I access some API, say localhost:8080/user, the web app redirects to google login page if the user is not authenticated, and sends results after authentication. Otherwise, if the user is already authenticated, it simply sends back the results. I can also use localhost:8080/login to explicitly login the user(which is what the login button does on the homepage). This works fine for browsers, but it does not work in postman.

How do I do the same in Postman? Trying to access the API returns the google login page, but there is no way to provide credentials(username, password and OTP). Is there a way by which I could login using the localhost:8080/login endpoint?

Registered User
  • 2,239
  • 3
  • 32
  • 58

2 Answers2

1

One can use the "get new access token" option that is shown when OAuth2 is selected as auth option.

Upon selecting this option, add the relevant details, same as that in your application. Clicking request token should now show a simple browser like a window, where the OAuth providers login page shall be shown.

Upon login, Postman saves the token, which can then be used for further requests.

I have created a blog post with little bit more details.

Registered User
  • 2,239
  • 3
  • 32
  • 58
0

I think you may be able to use the "Pre-request Script" feature to accomplish what you need.

Assuming POST /login is accessible, and you are able to store the session data for the authenticated session, you can use the "Pre-request Script" feature to perform the authentication before each request. (this can be done at the collection level, or the request level.)

Here is an example of what I do on some of the endpoints I use that require authentication... 

const loginRequest = {
    url: "http://localhost:1337/login",
    method: "POST",
    body: {
        mode: "raw",
        raw: JSON.stringify({
            email: 'user@domain.com',
            password: 'so much security goin on here.'
        })
    }
};

pm.sendRequest(loginRequest, function (err, response) {
    const responseJSON = response.json();
    pm.environment.set('jwt_token', responseJSON.token);
    console.log(err ? err : pm.environment.get('jwt_token'));
});

This is NOT THE BEST way to handle pre-authenticating for protected endpoints; instead of making one request, you're making two, every time. What I usually do is hit POST /login, store what I need from that result in collection/environment/global variables, and use those variables in my other requests. I use the "two-request" method as a hack for situations where I have a third-party auth I need to perform (similar to what I think you're trying to do) or when I am creating/debugging an API that requires authentication on each request.

If I am way off here, let me know in the comments and I will update my response(s).

Ed Meacham
  • 543
  • 1
  • 5
  • 19
  • "What I usually do is hit POST /login, store what I need ..., and use those variables in my other requests" Is it possible to do so with google? I wonder if I could login through firefox, and get the token somehow to use in postman? – Registered User Dec 16 '17 at 09:53
  • You could try that... when you log in, there has to be something that comes back from Google--your app (server-side logic) needs something from Google to say "yes, this person is authenticated" so you can use it. Whatever it is that your app needs from Google is what we're looking to store and access. – Ed Meacham Dec 18 '17 at 14:59