Note that doing the interactive portion of the flow (i.e. /authorize) with Postman will be very fragile. The code above is prepared to handle a username/password prompt in the New Universal Login, but it will fail if something is not configured as expected, such as:
- Classic Universal Login is configured for the login screen
- Identifier First is enabled
- MFA is enabled
- A consent screen is displayed
- Any other future change in the interactive login flow
- A session cookie is provided so the login prompt is skipped
- An action performs a redirect
As such, a more resilient flow would be to obtain the authorization code in the browser and then use it in Postman to exchange the code for the token results. This involves more manual work, but works with any authorization prompt presented to the user.
-
Pick an inactive
{{redirect_uri}}for the app (otherwise, the app will do the code exchange). E.g.http://localhost:3000/callback, and make sure the app is not running. -
With the Developer Tools open in the Network tab, navigate manually to the
/authorizeendpoint (https://{{auth0_domain}}/authorize?response_type=code&client_id={{auth0_client_id}}&redirect_uri={{redirect_uri}}) in the browser (replace the placeholders with the corresponding values). Complete all the authorization steps. -
Look for the request to the
{{redirect_uri}}endpoint. Grab the code from the URL. -
Use the
code, along with the other parameters, in aPOSTrequest tohttps://{auth0_domain}/oauth/tokenproviding the following values in the body:grant_type=authorization_codeclient_id={{auth0_client_id}}code={{the_resulting_code}}redirect_uri={{redirect_uri}}