AuthType OAuth2.0 Client Secret is always required

michaelderekjones · October 17, 2024, 12:33pm

Looking into this a bit further.

This flow doesn’t require the client secret as you quite rightly pointed out in your original post.

If you select “Authorization Code (with PKCE)”. I can see that it still has the field for the client_secret, but is it mandatory? If you don’t enter anything in this field, does it send the request?

This looks likes its related to this topic.

Example of retrieving a token using an Entra App with a Cert - Just Getting Started - Postman Community

I’m not sure that the Postman Authorizations are supporting this yet. Which is a bit of an issue as the Authorization_code grant type needs user interaction and the helpers deal with that aspect. You can’t mimic this in a pre-request script.

Topic		Replies	Views
OAuth 2.0 with PKCE Ask the Experts and Postman Tips authentication , oauth2	3	2643	June 18, 2024
OAuth2.O Authentication New to APIs/Postman authentication	3	12740	June 22, 2021
OAuth client authentication sent as basic authentication header Ask the Experts and Postman Tips authentication	0	899	May 20, 2021
Issue completing OAuth 2 flow Ask the Experts and Postman Tips authentication	6	6385	August 30, 2023
Can I change the body of /access_token request during the authorization code flow? Ask the Experts and Postman Tips authorization , oauth2	1	1325	January 4, 2021

AuthType OAuth2.0 Client Secret is always required

Related topics