Add roles in payload of client credentials

Hi, my use case is quite simple. I am running postman tests and the apis need the jwt token. Currently I am passing the bearer token manually, which I would like to automate.
I payload of my bearer token I am adding Roles with the help of rules.
I am across client-credentials which could be one of the option to get bearer token but I am not able to add roles in payload with the help of hooks.
Am I missing here anything?
Is using client-credentials for my use case is right option?

Hi @abelose90,

Welcome to the Auth0 Community!

Client credentials is for userless, machine to machine authorization.

Rules only run for user based flows.

I don’t fully understand your use case. Are you asking how to request a user’s access token via postman?

Hi Dan, thanks for clarification.

In current set up I am running a rule. On successful user login rule add roles assigned to the user in the access token.

My use case is, I am running some postman test cases. The apis for which I am running those test cases requires bearer token. These bearer token should have specific role in access token’s payload. Currently I am doing the manual process of copying the bearer token by logging into application inspect the page and going to network tab, copying the access token and running those tests.
I would like to automate the process of fetching the access token with appropriate roles.

Can you please tell me,

  1. Is it possible to request user’s token via postman?

  2. I was also exploring the client credentials option. I am able to obtain access token. I am wondering if I could add roles in access token using client credentials. Because without roles in the access token I cannot access any api.

Let me know if you need anymore details.


Thanks for elaborating. I think I understand what you are trying to accomplish.

Yes, the easiest way to get a user’s token in postman is to use the resource owner password grant. This grant allows you to exchange a username/password directly for a token. It is important to understand that this grant type leaves your application open to some added security considerations, but that shouldn’t be a problem if you are only using it during testing/development. Just be sure to turn it off once you are finished.

This type of flow does not include roles, as there is no user involved.

Thanks @dan.woda .

I went through the documentation for resource owner password grant, this is applicable for Regular Web Apps . And one thing I missed out informing that I am using SPA application type.
Is there anyway for getting access token for SPA application type with same use case?

You can get the access token in a SPA type application using this same method. We don’t recommend it for production, like I mentioned, but you shouldn’t have an issue using it to test gettings some tokens in postman.

This shows exactly how to make the call: Call Your API Using Resource Owner Password Flow

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.