Problem statement
How to test using Authentication Code Flow using POSTMAN?
Solution
- Start the flow by calling the /authorize endpoint
- You will be redirected to /u/login endpoint, capture the
state
parameter here. - Make a POST request to /u/login endpoint. Use the
state
parameter in both Request Body and Request Params. Also, pass theusername
andpassword
in the body (x-www-form-urlencoded). Capture astate
from aLocation
header. - Make a GET request to /authorize/resume endpoint using the
state
from the previous step. - Here you will get a CODE
- Exchange a CODE against a TOKEN by sending a POST request to /oauth/token endpoint.
POSTMAN COLLECTION (save as AuthCodeFlow.json and import into Postman):
{
"info": {
"_postman_id": "0bea1c8c-313e-4156-985d-74c11539f428",
"name": "Auth Code Flow",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"",
"_exporter_id": "15882021"
},
"item": [
{
"name": "1. Get to /authorize",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"GetState\", function () {",
" console.log(`Retrieving STATE...`)",
" let state = pm.response.headers.get('Location');",
" state = state.slice(state.lastIndexOf('=') + 1);",
" pm.environment.set(\"state\", state);",
" console.log(`Setting STATE (${state}) as environmental variable.`);",
" postman.setNextRequest(\"2. Post to /u/login\");",
"});"
],
"type": "text/javascript"
}
}
],
"protocolProfileBehavior": {
"followRedirects": false
},
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "https://{{auth0_domain}}/authorize?response_type=code&client_id={{auth0_client_id}}&redirect_uri={{redirect_uri}}",
"protocol": "https",
"host": [
"{{auth0_domain}}"
],
"path": [
"authorize"
],
"query": [
{
"key": "response_type",
"value": "code"
},
{
"key": "client_id",
"value": "{{auth0_client_id}}"
},
{
"key": "redirect_uri",
"value": "{{redirect_uri}}"
}
]
}
},
"response": []
},
{
"name": "2. Post to /u/login",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"GetResumeState\", function () {",
" console.log(`Retrieving RESUME_STATE...`)",
" let resume_state = pm.response.headers.get('Location');",
" resume_state = resume_state.slice(resume_state.lastIndexOf('=') + 1);",
" pm.environment.set(\"resume_state\", resume_state);",
"});"
],
"type": "text/javascript"
}
}
],
"protocolProfileBehavior": {
"followRedirects": false
},
"request": {
"method": "POST",
"header": [],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "username",
"value": "b@b.com",
"type": "text"
},
{
"key": "password",
"value": "1234",
"type": "text"
},
{
"key": "state",
"value": "{{state}}",
"type": "text"
}
]
},
"url": {
"raw": "https://{{auth0_domain}}/u/login?state={{state}}",
"protocol": "https",
"host": [
"{{auth0_domain}}"
],
"path": [
"u",
"login"
],
"query": [
{
"key": "state",
"value": "{{state}}"
}
]
}
},
"response": []
},
{
"name": "3. Get to /resume",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"GetCode\", function () {",
" console.log(`Retrieving CODE...`)",
" let code = pm.response.headers.get('Location');",
" code = code.slice(code.lastIndexOf('=') + 1);",
" pm.environment.set(\"code\", code);",
"});"
],
"type": "text/javascript"
}
}
],
"protocolProfileBehavior": {
"followRedirects": false
},
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "https://{{auth0_domain}}/authorize/resume?state={{resume_state}}",
"protocol": "https",
"host": [
"{{auth0_domain}}"
],
"path": [
"authorize",
"resume"
],
"query": [
{
"key": "state",
"value": "{{resume_state}}"
}
]
}
},
"response": []
},
{
"name": "4. Exchange CODE against a TOKEN",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.test(\"GetToken\", function () {",
" console.log(`Retrieving TOKENS...`)",
" let tokens = pm.response.json();",
" console.log(tokens);",
"});"
],
"type": "text/javascript"
}
}
],
"request": {
"method": "POST",
"header": [],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "grant_type",
"value": "authorization_code",
"type": "text"
},
{
"key": "client_id",
"value": "{{auth0_client_id}}",
"type": "text"
},
{
"key": "code",
"value": "{{code}}",
"type": "text"
},
{
"key": "redirect_uri",
"value": "{{redirect_uri}}",
"type": "text"
},
{
"key": "audience",
"value": "",
"type": "text",
"disabled": true
}
]
},
"url": {
"raw": "https://{{auth0_domain}}/oauth/token",
"protocol": "https",
"host": [
"{{auth0_domain}}"
],
"path": [
"oauth",
"token"
]
},
"description": "This is the OAuth 2.0 grant that regular web apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for an Access Token."
},
"response": []
}
]
}