Hi, when using the Authorization tab with the “Auth Type=OAuth2.0” and “Grant type = Authorization Code” why am i always required to have a client_secret… when some of these flows don’t require it? what am i doing wrong, is this postman enforcing this requirement or am i misunderstanding something . An SPA can use the Authorization code flow and does not require a client secret as its insecure.
Thanks
The Authorization helper is performing multiple actions to mimic the authorization_code authentication flow.
The first action is to hit the authorization end point and retrieve an authorization code.
This action requires the client_id but doesn’t require the client_secret.
The second action is to exchange the authorization code for an access token.
This part is sent with the “authorization_code” grant type.
This does require the client_id and matching client_secret.
From the documentation.
Client Authentication (required)
The service will require the client authenticate itself when making the request for an access token. Typically services support client authentication via HTTP Basic Auth with the client’s
client_idandclient_secret. However, some services support authentication by accepting theclient_idandclient_secretas POST body parameters. Check the service’s documentation to find out what the service expects, since the OAuth 2.0 spec leaves this decision up to the service.
Postman supports both of these options.
Hi thanks for the reply. How would that work for Public clients then who do not have a client_secret? i think they use “Grant type = Authorization Code”.
Define what you mean by a “Public client”.
I can only suggest checking the OAuth 2.0 standard.
As far as I’m aware, the OAuth 2.0 standard for the Authorization_code grant type requires you to send the client_secret alongside the client_id.
This is where you exchange the authorization code that you got in the previous step for an access token.
I guess the challenge I would put back to do is to show in the standard where it states that the client_secret is optional or not needed.
The link I provided you with is an abridged version of the standard, but it is showing that the client_secret is “required”.
More relevant info from that link…
The authorization code flow offers a few benefits over the other grant types. When the user authorizes the application, they are redirected back to the application with a temporary code in the URL. The application exchanges that code for the access token. When the application makes the request for the access token, that request can be authenticated with the client secret, which reduces the risk of an attacker intercepting the authorization code and using it themselves. This also means the access token is never visible to the user or their browser, so it is the most secure way to pass the token back to the application, reducing the risk of the token leaking to someone else.
Looking into this a bit further.
Single-Page Apps - OAuth 2.0 Simplified
This flow doesn’t require the client secret as you quite rightly pointed out in your original post.
If you select “Authorization Code (with PKCE)”. I can see that it still has the field for the client_secret, but is it mandatory? If you don’t enter anything in this field, does it send the request?
This looks likes its related to this topic.
I’m not sure that the Postman Authorizations are supporting this yet. Which is a bit of an issue as the Authorization_code grant type needs user interaction and the helpers deal with that aspect. You can’t mimic this in a pre-request script.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
Just Getting Started - Postman Community