Identity Server 3 Token Request from POSTMAN Http Tool

3
votes

Using POSTMAN, I'm struggling to to retrieve my Identity Server 3 token.

Error code is : 400 Bad Request

Here are the details:

POST /identity/connect/token HTTP/1.1

Host: localhost:44358 Content-Type: application;x-www-form-urlencoded

Cache-Control: no-cache

Postman-Token: 57fc7aef-0006-81b2-8bf8-8d46b77d21d1

username=MYUSER-ID&password=MY-PASSWORD&grant_type=password&client_id=rzrwebguiangulajsclient&client_secret=myclientsecret&redirect_uri=https://localhost:44331/callback

I've done something similar with a simple Visual Studio 2015 WebApi project, where the end point was \token.

enter image description here

Any guidance/advice is appreciated...

regards, Bob

2
postmanidentityserver3

2 Answers

9
votes

The minimum required for a Resource Owner OAuth request is the following (line breaks added for readability):

POST /connect/token

Header

Content-Type: application/x-www-form-urlencoded

Body

username=MYUSER-ID
&password=MY-PASSWORD
&grant_type=password
&client_id=rzrwebguiangulajsclient
&client_secret=myclientsecret
&scope=api

Off the bat you are not requesting a scope in your request. Otherwise there is most probably something wrong in the configuration of your client within Identity Server.

Your best bet would be to enable logging and look at what comes back when this request errors.

Update: also, please don't use the ROPC grant type

2
votes

I'm happy to say that we got Postman to work.

It turns out I was so close to getting Postman to work with Identity Server 3 Authorization.

The final piece to the solution was setting the Postman client Flow to Flow = Flows.ClientCredentials (see the postmantestclient client definition below):

using System.Collections.Generic;
using IdentityServer3.Core.Models;

namespace MyWebApi.MyIdentityServer.Config
{
public static class Clients
{
public static IEnumerable<Client> Get()
{
	return new[]
	{
		new Client
		{
			ClientId = MyConstants.MyIdentityServer.MyWebGuiClientId,
			ClientName = "My Web Gui Client",
			Flow = Flows.Implicit,
			AllowAccessToAllScopes = true,

			IdentityTokenLifetime = 300,
			AccessTokenLifetime = 300,  //5 minutes
			RequireConsent = false,

			// redirect = URI of the Angular application
			RedirectUris = new List<string>
			{
				MyConstants.MyIdentityServer.MyWebGuiUri + "callback.html",
				
				// for silent refresh
				MyConstants.MyIdentityServer.MyWebGuiUri + "silentrefreshframe.html"
			},
			PostLogoutRedirectUris = new List<string>()
			{
				MyConstants.MyIdentityServer.MyWebGuiUri + "index.html"
			}
		},
		new Client
		{
			ClientId = MyConstants.MyIdentityServer.SwaggerClientId,
			ClientName = "Swagger Client",
			Flow = Flows.Implicit,
			AllowAccessToAllScopes = true,

			IdentityTokenLifetime = 300,
			AccessTokenLifetime = 300,  
			RequireConsent = false,

			// redirect = URI of the Angular application
			RedirectUris = new List<string>
			{
				"https://localhost:44358/swagger/ui/o2c-html"
			}
		},
		new Client
		{
			ClientId = "postmantestclient",
			ClientName = "Postman http test client",
			Flow = Flows.ClientCredentials,
			AllowAccessToAllScopes = true,

			IdentityTokenLifetime = 300,
			AccessTokenLifetime = 300,  //5 minutes
			RequireConsent = false,

			ClientSecrets = new List<Secret>
			{
				new Secret("PostmanSecret".Sha256())
			},

			RedirectUris = new List<string>()
			{
				"https://www.getpostman.com/oauth2/callback"
			}
		 }
	};
}
}
}