How to get tokens to test our APIs from Postman?

Our mobile app project has a Quarkus backend and an Expo frontend.
The frontend SDK gets access token from Auth0 and sends API calls to the backend.
But the token from Auth0 is an opaque token so the backend is configured to validate the token with Auth0’s user-info endpoint.

Everything works as expected when requests are sent from the frontend UI. However, we need a way to test our API without using the frontend UI. As the opaque token can only be generated from the frontend SDK, we are not sure what is the best way to test the API with Postman.

Any suggestions or recommendations please? Thanks in advance!

Hi @xiaonan.zhang,

Welcome to the Auth0 Community!

If you have been getting an opaque access token, it means that the audience parameter was not included in the login request.

Given that, I recommend passing in the audience parameter, which references your API identifier, so you can a JWT access token to be used against your API.

https://testrueben.auth0.com/authorize?
    response_type=code&
    client_id=HICy2jI4atNE6xjgFr7VrYYoUyiB5dbI&
    redirect_uri=https://youtube.com&
    scope={scope}&
    audience={apiAudience}&
    state={state}

Reference:

Please let me know if you have any questions.

Thanks,
Rueben

Thanks very much for your reply!

The goal is to test our backend APIs with Postman so I’ve tried the Resource Owner Password Flow. It works if the Auth0 application type is set to “Regular Web App”. A normal JWT can be retrieved by calling https://<tenant>.auth0.com/oauth/token.

However in our case the Auth0 application type is “Native” which does not support the Resource Owner Password Flow. Do we need to create two applications, “Native” and “Regular Web App”, and configure our server with the credentials from both of them?

Regarding the opaque token, is it recommended to use opaque token or JWT with the audience configured?

Hi @xiaonan.zhang,

Thanks for the reply.

You will need the user to authenticate as usual with the audience parameter in the login request.

Is there a reason you are using Resource Owner Password grant flow instead of the authorization code grant flow?

You will need to get a JWT access token to access your API. The opaque access token is only meant to be used against the /userinfo endpoint.


(Reference: Get Access Tokens)

The sign-in is done in the frontend code so in our case, the React Native code calls auth0.authorize(). Then the React Native code calls auth0.getCredentials() for retrieving a token (opaque if no audience set in the authorize).

After that, the token is included in the REST request Authorization header as a Bearer token for calling our serverside APIs.

Our server is Quarkus. Once the request is received, it goes to Auth0’s userinfo endpoint for validating the token and retrieve the user info.

Our backend server is only for validating tokens so no login actions performed directly on it. Do you recommend to always set the audience to avoid using opaque tokens based on the above?

Token types aside, we need to test our serverside APIs via Postman. So in this case, the frontend code is not involved and we need a way to get a token to call our APIs. But the Auth0 “Native” type application does not support Resource Owner Password grant flow.

1 Like

Attached a diagram for detailing the flow

2 Likes

Hi @xiaonan.zhang,

Thanks for following up.

For testing your APIs in Postman, you will need to pass an audience parameter in your login request. This is intended to create a JWT access token to be used against your API. For example:

auth0.authorize({
    scope: 'openid profile email', // Specify the desired scopes
    audience: 'your-api-audience', // Specify the API audience
    // Add any additional parameters as needed
  })

Yes, if you intend to use the token in the future against your API. Let me also add that you can get most of the information found in your opaque access token as you do in your JWT access token. If there are any attributes missing, you could always append them to your JWT access token as custom claims.

See Adding custom claims to tokens.

You will need to use the Authorization Code flow or the Client Credentials flow.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.