azure active directory & postman

8
votes

I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.

I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.

Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?

4
azureactive-directorypostman
Are you getting specific errors at all? I don't have specific experience with Postman but have you checked the application in Azure AD has the appropriate permissions it requires and validated the tokens and keys are all correct? Have you also looked at this post on Windows IT Pro?Martyn C
When I got back a bad response, the debug url you mentioned, actually had a very long detailed error description, strangely in the query string of the URLbkwdesign

4 Answers

4
votes

The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.

Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!

2
votes

You can set the resource ID as a parameter to the Auth URL.

Auth URL: https://_______________?resource=https://_________
0
votes

I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....

I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...

This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.

0
votes

Adapted from this post

  1. set up a dedicated 'postman-test' app registration in AD tenant, with permission to access your target API. Ensure it has the postman callback url previously mentioned.

  2. fill in Postman's OAuth helper form with following details:

    • Token Name – Any name to save the token.
    • Auth Urlhttps://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
    • Access Token Urlhttps://login.microsoftonline.com/{tenant}/oauth2/token
    • Client ID – Client Id from configure tab of “postman-test” app.
    • Client Secret – Client secret copied from configure tab of “postman-test” app.
    • Grant Type – Authorization Code

Note:

  • tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.

  • testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping