Full Auth Code Flow using POSTMAN

Knowledge Solutions
, ,
1

Problem statement

How to test using Authentication Code Flow using POSTMAN?

Solution

  1. Start the flow by calling the /authorize endpoint
  2. You will be redirected to /u/login endpoint, capture the state parameter here.
  3. Make a POST request to /u/login endpoint. Use the state parameter in both Request Body and Request Params. Also, pass the username and password in the body (x-www-form-urlencoded). Capture a state from a Location header.
  4. Make a GET request to /authorize/resume endpoint using the state from the previous step.
  5. Here you will get a CODE
  6. Exchange a CODE against a TOKEN by sending a POST request to /oauth/token endpoint.

image
image1418×730 257 KB

POSTMAN COLLECTION (save as AuthCodeFlow.json and import into Postman):

{
	"info": {
		"_postman_id": "0bea1c8c-313e-4156-985d-74c11539f428",
		"name": "Auth Code Flow",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"",
		"_exporter_id": "15882021"
	},
	"item": [
		{
			"name": "1. Get to /authorize",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetState\", function () {",
							"    console.log(`Retrieving STATE...`)",
							"    let state = pm.response.headers.get('Location');",
							"    state = state.slice(state.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"state\", state);",
							"    console.log(`Setting STATE (${state}) as environmental variable.`);",
							"    postman.setNextRequest(\"2. Post to /u/login\");",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/authorize?response_type=code&client_id={{auth0_client_id}}&redirect_uri={{redirect_uri}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"authorize"
					],
					"query": [
						{
							"key": "response_type",
							"value": "code"
						},
						{
							"key": "client_id",
							"value": "{{auth0_client_id}}"
						},
						{
							"key": "redirect_uri",
							"value": "{{redirect_uri}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "2. Post to /u/login",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetResumeState\", function () {",
							"    console.log(`Retrieving RESUME_STATE...`)",
							"    let resume_state = pm.response.headers.get('Location');",
							"    resume_state = resume_state.slice(resume_state.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"resume_state\", resume_state);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "POST",
				"header": [],
				"body": {
					"mode": "urlencoded",
					"urlencoded": [
						{
							"key": "username",
							"value": "b@b.com",
							"type": "text"
						},
						{
							"key": "password",
							"value": "1234",
							"type": "text"
						},
						{
							"key": "state",
							"value": "{{state}}",
							"type": "text"
						}
					]
				},
				"url": {
					"raw": "https://{{auth0_domain}}/u/login?state={{state}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"u",
						"login"
					],
					"query": [
						{
							"key": "state",
							"value": "{{state}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "3. Get to /resume",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetCode\", function () {",
							"    console.log(`Retrieving CODE...`)",
							"    let code = pm.response.headers.get('Location');",
							"    code = code.slice(code.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"code\", code);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/authorize/resume?state={{resume_state}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"authorize",
						"resume"
					],
					"query": [
						{
							"key": "state",
							"value": "{{resume_state}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "4. Exchange CODE against a TOKEN",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetToken\", function () {",
							"    console.log(`Retrieving TOKENS...`)",
							"    let tokens = pm.response.json();",
							"    console.log(tokens);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"request": {
				"method": "POST",
				"header": [],
				"body": {
					"mode": "urlencoded",
					"urlencoded": [
						{
							"key": "grant_type",
							"value": "authorization_code",
							"type": "text"
						},
						{
							"key": "client_id",
							"value": "{{auth0_client_id}}",
							"type": "text"
						},
						{
							"key": "code",
							"value": "{{code}}",
							"type": "text"
						},
						{
							"key": "redirect_uri",
							"value": "{{redirect_uri}}",
							"type": "text"
						},
						{
							"key": "audience",
							"value": "",
							"type": "text",
							"disabled": true
						}
					]
				},
				"url": {
					"raw": "https://{{auth0_domain}}/oauth/token",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"oauth",
						"token"
					]
				},
				"description": "This is the OAuth 2.0 grant that regular web apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for an Access Token."
			},
			"response": []
		}
	]
}