How to simulate oAuth 2.0 flow in Postman with Authorization Code

I am creating an automated testing collection in Postman, and I want to retrieve the Bearer Token using the oAuth 2.0 flow with authorization code.

I am struggling with how to configure a “listener” mock of redirect uri that will be able to receive the authorization code (in Postman).

I was able to create the next step of initiate a new call to get the token (using the authorization code).

My flow step by step, the problematic step is 5:

  1. App send API request for permissions
  2. App receive back a redirect link for user authorization
  3. User authorizes the permission request
  4. App initiate authorization flow (…/oauth/authorize)
  5. App receive to it’s predefined ‘redirect uri’ the authorization code
  6. App send request to GET token with the authorization code received

Is the end result you are trying to achieve automatically obtaining an OAuth2.0 bearer token? Or are you specifically wanting to do all the steps you have defined?

my preferred end result is to have the bearer token. the step that i marked in bold is the step i am missing…
i am fine with a solution that will hold the entire OAuth process.

I recently posted in the Community Showcase about how to automate the renewal of an OAuth2.0 token.

Maybe that will satisfy your need?

thanks allen, this answers to the 6th step… my problem is that i don’t have a redirect uri listener to get the code and state…

i need some listener that will be able to receive this GET http://00.000.0000/aaa-backend/redirect/oauth/token?code=nuIzwq&state=5555 request and will store this request (so i will have a location to retrieve the code and state from)

1 Like

Do you mean you need a redirect uri/callback uri?
Postman echo has an endpoint you can use.

If that’s what your asking?
I’d put that in whatever API your trying to set up and see if that gives you anything?
I use it for OAuth 2.0 in the OAuth tab so I don’t know about doing the flow in separate requests.

Another thing is OAuth2.0 without an application/server process means you HAVE to sign in on their redirect, if they don’t show an option for it, you won’t be able to do so.

For example, Imgur’s API does OAuth2.0 but does not allow an option to do so without user sign-in on their portal. Therefore you’d have to use the Postman OAuth2.0 tab as our preview window is also not a browser so you wouldn’t even be able to do it manually.

I assume you’re using the Authorization Code strategy for authorization. To solve the redirection problem that you mentioned in the 5th step. You can go to your postman settings and disable Automatically follow redirects then you can get the redirection URL with its code from the response headers. It should be in the Locations field in the headers.


In my understanding, after I sign in in the preview window the first time, Postman already have the cookies and refresh_token so I don’t have to sign in a second time when clicking Get New Access Token. So can I somehow trigger to it and get a new acess_token in the pre-request script?