Testing Authorization Code Flow Using Postman

Overview

This article explains how to test the Authorization Code Flow with Postman.

Applies To

  • Postman
  • Authorization Code Flow

Solution

Follow the steps below to test the authorization code flow using Postman:

  1. Start the flow by calling the /authorize endpoint
  2. Capture the state parameter from the /u/login endpoint redirection
  3. Make a POST request to the /u/login endpoint:
    • Use the state parameter in both Request Body and Request Params
    • Pass the username and password in the body (x-www-form-urlencoded)
    • Capture the new state from the Location header
  4. Make a GET request to the /authorize/resume endpoint using the state from the previous step
  5. Retrieve the authorization code
  6. Exchange the code for a token by sending a POST request to the /oauth/token endpoint

Postman collection

To simplify the process, use the following collection. Save it as “AuthCodeFlow.json” and import it into Postman:

{
	"info": {
		"_postman_id": "0bea1c8c-313e-4156-985d-74c11539f428",
		"name": "Auth Code Flow",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
		"_exporter_id": "15882021"
	},
	"item": [
		{
			"name": "1. Get to /authorize",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetState\", function () {",
							"    console.log(`Retrieving STATE...`)",
							"    let state = pm.response.headers.get('Location');",
							"    state = state.slice(state.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"state\", state);",
							"    console.log(`Setting STATE (${state}) as environmental variable.`);",
							"    postman.setNextRequest(\"2. Post to /u/login\");",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/authorize?response_type=code&client_id={{auth0_client_id}}&redirect_uri={{redirect_uri}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"authorize"
					],
					"query": [
						{
							"key": "response_type",
							"value": "code"
						},
						{
							"key": "client_id",
							"value": "{{auth0_client_id}}"
						},
						{
							"key": "redirect_uri",
							"value": "{{redirect_uri}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "2. Post to /u/login",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetResumeState\", function () {",
							"    console.log(`Retrieving RESUME_STATE...`)",
							"    let resume_state = pm.response.headers.get('Location');",
							"    resume_state = resume_state.slice(resume_state.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"resume_state\", resume_state);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "POST",
				"header": [],
				"body": {
					"mode": "urlencoded",
					"urlencoded": [
						{
							"key": "username",
							"value": "b@b.com",
							"type": "text"
						},
						{
							"key": "password",
							"value": "1234",
							"type": "text"
						},
						{
							"key": "state",
							"value": "{{state}}",
							"type": "text"
						}
					]
				},
				"url": {
					"raw": "https://{{auth0_domain}}/u/login?state={{state}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"u",
						"login"
					],
					"query": [
						{
							"key": "state",
							"value": "{{state}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "3. Get to /resume",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetCode\", function () {",
							"    console.log(`Retrieving CODE...`)",
							"    let code = pm.response.headers.get('Location');",
							"    code = code.slice(code.lastIndexOf('=') + 1);",
							"    pm.environment.set(\"code\", code);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"protocolProfileBehavior": {
				"followRedirects": false
			},
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "https://{{auth0_domain}}/authorize/resume?state={{resume_state}}",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"authorize",
						"resume"
					],
					"query": [
						{
							"key": "state",
							"value": "{{resume_state}}"
						}
					]
				}
			},
			"response": []
		},
		{
			"name": "4. Exchange CODE against a TOKEN",
			"event": [
				{
					"listen": "test",
					"script": {
						"exec": [
							"pm.test(\"GetToken\", function () {",
							"    console.log(`Retrieving TOKENS...`)",
							"    let tokens = pm.response.json();",
							"    console.log(tokens);",
							"});"
						],
						"type": "text/javascript"
					}
				}
			],
			"request": {
				"method": "POST",
				"header": [],
				"body": {
					"mode": "urlencoded",
					"urlencoded": [
						{
							"key": "grant_type",
							"value": "authorization_code",
							"type": "text"
						},
						{
							"key": "client_id",
							"value": "{{auth0_client_id}}",
							"type": "text"
						},
						{
							"key": "code",
							"value": "{{code}}",
							"type": "text"
						},
						{
							"key": "redirect_uri",
							"value": "{{redirect_uri}}",
							"type": "text"
						},
						{
							"key": "audience",
							"value": "",
							"type": "text",
							"disabled": true
						}
					]
				},
				"url": {
					"raw": "https://{{auth0_domain}}/oauth/token",
					"protocol": "https",
					"host": [
						"{{auth0_domain}}"
					],
					"path": [
						"oauth",
						"token"
					]
				},
				"description": "This is the OAuth 2.0 grant that regular web apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for an Access Token."
			},
			"response": []
		}
	]
}

NOTE: Before running the collection, ensure that the following environment variables are set in Postman:

  • auth0_domain: Your Auth0 domain
  • auth0_client_id: Your Auth0 client ID
  • redirect_uri: The authorized redirect URI for your application

To use this collection:

  1. Save the JSON as “AuthCodeFlow.json”
  2. Open Postman and navigate to File > Import
  3. Choose the “AuthCodeFlow.json” file
  4. Set up the required environment variables
  5. Run the collection to test the Authentication Code Flow