4

I'm using Postman a lot for API development. Most of time I use OAuth 2.0 for authentication. As this post says, the Authorization Code flow steps are as below:

  • The application opens a browser to send the user to the OAuth server

  • The user sees the authorization prompt and approves the app’s request

  • The user is redirected back to the application with an authorization code in the query string

  • The application exchanges the authorization code for an access token

In step 3, I think the user is redirected back to the application by using the redirect url. But what we always provided in the request is the configured url for real application that should get the auth code instead of Postman. I'm quite confused how can Postman get the auth token as the redirect url has no info about it.

lohk
  • 41
  • 1
  • 1
  • 2

1 Answers1

2

The identity provider will create the authorisation code and return it to the redirect URI as a query string parameter, in a parameter named code the url will be yourdomain.com/app?code=authorisation-code

In postman it is possible to retrieve an access token for a Authorisation Code flow client.

Click the authorisation tab for a request, in the type select oAuth 2

enter image description here

Then click the orange Get Access Token button, it will prompt a new window where you can input your client & idp information.

enter image description here

When you click the request token button it will prompt you to enter your credentials at this point it will retrieve the authorisation code and automatically exchange it for an access token using the client id, secret and scopes that you configured on this screen, if everything is successful then you will receive your access token.

I am currently tracking a question on how to automate this process to be executed as part of the execution runner: Postman - Access Token Retrieval using Authorisation Code grant type

Dharman
  • 30,962
  • 25
  • 85
  • 135
Dave Morrison
  • 190
  • 2
  • 13
  • Hi Dave. Thanks for the detailed answer. While I still have a question that in the Get New Access Token picture you pasted above, in the Callback URL field, what I'm configuring here is the url to my app (e.g. yourdomain.com/app). I still don't understand how can Postman get the authorization code to exchange a token if the identity provider send auth code back to that callback url. Can you elaborate more on that? – lohk Oct 16 '20 at 22:05
  • Hi @Dave, did you able to automate the code grant type flow? – Niroshan K Feb 01 '22 at 07:09
  • Not yet. Still thinking lol – Dave Morrison Aug 04 '22 at 15:46
  • @DaveMorrison still thinking ? lol – Waheed Khan Aug 01 '23 at 09:48