Browser-based PKCE auth token automation doesn't work with MS AAD

Microsoft’s AAD supports PKCE auth through the use of a ‘Single Page Application’ on an application registration. When requesting a token, AAD expects to see an Origin header in the request and rejects it if not found.

Because there is no way to manipulate the request sent via the launched browser, PKCE auth fails with AAD.

is there a workaround for this or is a fix on the way?

1 Like

Are you using the desktop client or the web client?

If using the web client, you need the Postman desktop agent to support the CORS element which this relates to.

Actually saying that, not sure if the built in authentication supports this yet.

Add Origin header to OAuth 2.0 flow - Help - Postman

Therefore you may have to use sendRequest in a pre-request script to generate your token instead where you should be in full control of what headers you send.

Or you could craft a Post request with all of the settings. I prefer the pre-request script as you can handle the token expires with simple IF statements.

PKCE is a client-based flow which involves the use of a browser and redirects. Can’t fake it through pre and post request scripts