Resource Owner Password flow with Realm Support on Postman

Knowledge Articles
1

Overview

This article explains how to test the Resource Owner Password Flow with Realm Support using Postman.

Applies To

  • Resource Owner Password Flow
  • Realm Support
  • Postman

Solution

First, please make sure your application has the “password” grant enabled in the Auth0 Dashboard.

POSTMAN COLLECTION

  • Import the collection by selecting Import in the upper left side in Postman and pasting the JSON object found below:
{
	"info": {
		"_postman_id": "400b834e-712e-4b98-a479-054ab1d563ab",
		"name": "ROP flow with realm support",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
		"_exporter_id": "37524612"
	},
	"item": [
		{
			"name": "1. Post to /oauth/token",
			
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "POST",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/oauth/token",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"oauth",
                        "token"
					]
				},
                "body":{
                    "mode":"urlencoded",
                    "urlencoded":[
                    {
                        "key":"username",
                        "value":"{{username}}",
                        "type":"text"},
                    {
                        "key":"password",
                        "value":"{{password}}",
                        "type":"text"},
                    {
                        "key":"scope",
                        "value":"openid",
                        "type":"text"},
                    {
                        "key":"client_id",
                        "value":"{{client_id}}",
                        "type":"text"},
                    {
                        "key":"client_secret",
                        "value":"{{client_secret}}",
                        "type":"text"},
                    {
                        "key":"grant_type",
                        "value":"http://auth0.com/oauth/grant-type/password-realm",
                        "type":"text"},
                    {
                        "key":"audience",
                        "value":"{{apiIdentifier}}",
                        "type":"text"},
                    {
                        "key":"realm",
                        "value":"{{connectionName}}",
                        "type":"text"
                    }
                    ]
                }
			},
			"response": []
		},
		{
			"name": "2. Get to /userinfo",
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/userinfo",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"userinfo"
					]
				}
			},
			"response": []
		}
	]
}

Please make sure to create the following variables with the appropriate values, as these variables are used in the requests:

  1. {{auth0_domain}} - your domain
  2. {{username}} - username utilized to authenticate
  3. {{password}} - password utilized to authenticate
  4. {{client_id}} - client_id of your Auth0’s Application
  5. {{client_secret}} - client_secret of your Auth0’s Application (OPTIONAL - required only for Regular Web Apps)
  6. {{apiIdentifier}} - your audience’s identifier
  7. {{connectionName}} - your connection’s name that will be placed in the realm parameter

This collection can perform the following requests:

  1. POST to /oauth/token - utilized to both authenticate the user and retrieve an access token and an ID token, which can then be utilized to authorize other protected endpoints.
  2. GET to /userinfo - utilized to test the access token retrieved through the first request. Authorize this request by going to the request in Postman, accessing Authorization, selecting Bearer Token, and pasting the access token’s value. If successful, this will retrieve the user’s profile.