Regarding a question that is now closed because I took too long to reply (sorry!).
I would like to be able to step through the whole flow by making HTTP requests from a client on my local machine (e.g., cURL, Postman, Insomnia).
OAuth authentication with Postman will work to a point, but I guess what I’m after is the most granular view of the whole flow, with the each API call being explicit. I don’t want to authenticate with another OAuth app to get and use an access token. I want to be able to see each API call happening and the relevant value from the response from each API call being passed to the next one, etc., etc.
Postman with OAuth is another layer of abstraction.
While tools like Postman and Insomnia are nice, there is a simpler way to view the network traffic of authentication flows. I prefer to reproduce the flow in a browser and use the browser’s integrated developer tools to review the request and responses associated with the various parties involved in the flow. Here are some tips:
First, ensure that you’ve got a working application running. If you don’t have one of your own, you can clone one of our sample apps from our Quickstart guides that aligns with the tech stack you prefer. Since most of our guides and SDKs implement the Authorization Code Flow (with PKCE for SPAs) by default, I’ll use this OAuth grant type in this example.
Once the app is spun up and running in your browser, open the dev tools by right-clicking in the window and selecting ‘Inspect’ from the menu (or option+command+I in most browsers). Ensure that you’re on the Network tab and that the Preserve log checkbox is checked.
Now you can initiate the login flow in that browser window and view the network traffic that occurs at each step of the flow. Note that the relevant endpoints my differ slightly depending on the OAuth grant type, connection, and if you’re using the New Universal Login vs Classic Universal Login.
Here is a quick overview of the some endpoints you may see:
/authorize The request that kicks off the entire login and specifies the details of the type of flow that you’re starting in the query string parameters. For example, response_type=code would tell your tenant that the client is asking to initiate the Authorization Code Flow.
/login The Universal Login page.
/login/callback This is where an external Identity Provider will return their auth verdict to your tenant if you login using an enterprise or social connection.
/authorize/resume This endpoint triggers post-login extensibility flows like Rules and Actions.
/{your-apps-callback} This is not an endpoint of your tenant, like the others, but your application’s callback URL that you specify. This is where a code, or sometimes tokens, is returned back to your app, signaling a successful login.
/oauth/token This is where the code, that your app received at it’s callback URL, is exchanged for an id token and access token.
Using this simple method, you can easily review HTTP requests, responses, headers, and cookies in great detail using just your standard testing browser. Additionally, you can export this data into a HAR file and use Google’s HAR Analyzer to review the data in a format that’s a little easier on the eyes. And lastly, you can use tools like samltool.io and jwt.io to decode and parse SAML Responses and JSON Web Tokens respectively for even more troubleshooting.