How can Postman get the OAuth 2.0 auth token in the authorization code flow?

2
votes

I'm using Postman a lot for API development. Most of time I use OAuth 2.0 for authentication. As this post says, the Authorization Code flow steps are as below:

  • The application opens a browser to send the user to the OAuth server

  • The user sees the authorization prompt and approves the app’s request

  • The user is redirected back to the application with an authorization code in the query string

  • The application exchanges the authorization code for an access token

In step 3, I think the user is redirected back to the application by using the redirect url. But what we always provided in the request is the configured url for real application that should get the auth code instead of Postman. I'm quite confused how can Postman get the auth token as the redirect url has no info about it.

1
oauth-2.0oauthpostman

1 Answers

0
votes

The identity provider will create the authorisation code and return it to the redirect URI as a query string parameter, in a parameter named code the url will be yourdomain.com/app?code=authorisation-code

In postman it is possible to retrieve an access token for a Authorisation Code flow client.

Click the authorisation tab for a request, in the type select oAuth 2

enter image description here

Then click the orange Get Access Token button, it will prompt a new window where you can input your client & idp information.

enter image description here

When you click the request token button it will prompt you to enter your credentials at this point it will retrieve the authorisation code and automatically exchange it for an access token using the client id, secret and scopes that you configured on this screen, if everything is successful then you will receive your access token.

I am currently tracking a question on how to automate this process to be executed as part of the execution runner: Postman - Access Token Retrieval using Authorisation Code grant type