Using POSTMAN to get Authorization Code - OAuth2.0

1
votes

I am using POSTMAN to test OAuth2.0 AuthCode flow for MSGraph. Following are details of the same:

AuthCode URL : https://login.microsoftonline.com/{tenant_id}/oauth2/authorize

AccessToken URL : https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

When i did some research to see how to test OAuth2.0 using POSTMAN. I was able to find some threads which helped me to generate the access token and hit the user profile api to get the user details as shown in the screenshot below:

enter image description here

enter image description here

But, i have a weird requirement where in, i would like to generate an AuthCode in a separate request, then use it in another request to get the Access Token and then use the access token to get the user details in a separate request.

Can someone please help me with the Above requirement.

2
azureoauth-2.0azure-active-directorypostmanmicrosoft-graph-api
What do you mean by separate request?Carl Zhao
Usually we use the auth code flow to obtain a token to access the graph api requires the following three steps: 1. Request an authorization code 2. Request an access token 3. Use the access token. Each step is a separate request. docs.microsoft.com/en-us/azure/active-directory/develop/…Carl Zhao
@CarlZhao - Separate POSTMAN requests. Yes i agree, but when you google "how to test OAuth2.0 using postman" - you find that, its a single request which should be the user profile URL, and in the authorization tab, we need to select Type as OAuth2.0. I have updated the question and attached the screenshot of the same.FAIZAN AHMED KHAN
Obtaining the code is an interactive process, which requires you to log in as a user, and requires you to execute the request in the browser: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read &state=12345Carl Zhao

2 Answers

1
votes

You can first request the authorization code in your browser:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=https://localhost:4500/web/completeoauth/ms
&response_mode=query
&scope=https://graph.microsoft.com/mail.read
&state=12345

enter image description here

Then use the authorization code to request the token in postman:

enter image description here

Update:

If you don’t want to use a browser, just don’t check the Authorize using browser checkbox, and then set the Callback URL to your Redirect URIs. When you request a token, it will prompt you to log in.

After you log in,it will return the access token directly to you.But you will not see the code, this is because the system directly exchanges your code for token and returns it to you.

0
votes

In Postman, in the test tab of the first request, you need to store the AuthCode in an environment variable: pm.environment.set("authCode", authCode).

You then can use that in the pre-request script of the next request via pm.environment.get("authCode") or in the headers or as url parameter: {{authCode}}.