Define OAuth 2.0 Token Request in Postman

0
votes

I'm trying to understand OAuth 2.0 which is scarcely, badly documented and I'm trying to implement OAuth 2.0 client call in my App. I am using Postman to simulate API calls, which works. Postman shows big orange button "Get New Access Token", where I select Grant Type, URL, Client ID, Client Secret, Scope and Authentication type. Upon clicking button Request Token, new bearer token is returned by the API, meaning the authentication succeeded. This of course is completely useless approach to me, because I have no idea what just happened. I need to create actual request that shows me exactly how it is formed, so that successful response with bearer token is returned. Postman, for absolutely no reason, will not let me see that or convert it's useless UI into a functional API request. All I have is black box with orange button "Request Token", which does who knows what.

Does anyone know, how to form a working OAuth 2.0 bearer token request in Postman, preferably to convert their useless token request dialog directly into a request?

2
oauth-2.0postman

2 Answers

0
votes

After some research I have been able to form a valid OAuth2 token request. For clarity, here is a code sample, which we need to convert to Postman response:

var client = new RestClient("https://api_address/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "Basic hash");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);

The hash part of the request is formed from client_id and client_secret values. In Postman, this is defined as such:

  1. Create a simple POST request with token API url.
  2. Go to Authorization tab.
  3. Select Basic Auth
  4. Enter client_id and client_secret into corresponding fields as username and password.
  5. Go to Body tab.
  6. Select x-www-form-urlencoded.
  7. Enter key grant_type with value of client_credentials.

This example is for the client credentials flow. OAuth2 authors felt that calling auth scenarios as auth scenarios isn't cool enough, so they are called flows, which is nonsense, but sounds cooler.

0
votes

Process one: Process one

Process two: Process two

First, determine whether your token is passed through the header

It could be:

else process:
else process