Client Credentials with Postman

mmindenhall · November 26, 2019, 6:13pm

This issue was raised before in this post, but was not resolved.

Postman has a “Get New Access Token” UI that supports obtaining a token via the Client Credentials grant type. This is a huge convenience, but it does not work for Auth0, as the Auth0 client credentials flow requires an audience parameter, which is not standard.

Using this feature with Auth0, Postman generates a request that looks like the following:

POST https://my-domain.auth0.com/oauth/token
Request Headers:
    Content-Type: "application/x-www-form-urlencoded"
    Accept: "*/*"
    ...
Request Body:
    grant_type: "client_credentials"
    scope: ""
    client_id: "*****"
    client_secret: "*****"

This request fails because the required audience value is missing.

As a workaround, I’d like to suggest that Auth0 support an alternative method of specifying the audience parameter within the scope. For example:

POST https://my-domain.auth0.com/oauth/token
Request Headers:
    Content-Type: "application/x-www-form-urlencoded"
    Accept: "*/*"
    ...
Request Body:
    grant_type: "client_credentials"
    scope: "api_audience:https://my-api.example.com"
    client_id: "*****"
    client_secret: "*****"

Specifying the audience in this way would satisfy the Auth0 API contract, while still allowing the use of 3rd party tools such as Postman to retrieve and manage tokens.

dan.woda · November 27, 2019, 12:52am

Hi @mmindenhall,

Welcome to the Auth0 Community Forum!

The best way to suggest a feature request like this is through out formal feedback page. This is the tool our product team uses to manage feature requests.

In the meantime, it looks like there is a pending issue to make this change to postman. There is talk of a workaround by adding audience as a qs param. Take a look at this github thread:
https://github.com/postmanlabs/postman-app-support/issues/2934

Hope this helps!

Thanks,
Dan

mmindenhall · December 3, 2019, 7:17pm

Hi Dan,

FYI, I have filed this ticket associated with the request.

The workaround (add audience as query param) mentioned in the Postman issue you referenced does not work for the Client Credentials grant type. It does work for the Authorization Code grant type, as documented within that thread and this Auth0 blog post.

Also, that Postman issue has been open since April 2017, so I’m not holding my breath on them getting around to fixing it anytime soon.

Thanks!

dan.woda · December 4, 2019, 12:04am

@mmindenhall,

That is unfortunate. Thanks for the link to the blog and your support ticket.

The feature request is being looked at from our product managers. It sounds like allowing the audience in the qs could also be a viable solution and is already in practice with other grant types (or if postman were to add it to their fields). I feel like that may be the path of least resistance, although there may be security implications that I have not looked at in this brief back-and-forth.

If you have more feedback related to this idea or otherwise feel free to file a feedback ticket like I mentioned above, it be looked at and will merge into the initial feature request. Also you are welcome to @ me if you have further questions or discussion.

Thanks,
Dan

dan.woda · December 18, 2019, 4:04am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.