Is there a way to do form based authentication in Postman?

I’m trying to achieve what I’m able to do via Java REST-Assured code below:

.form(username, password, new FormAuthConfig("/authlogin.form", “username”, “password”)

Ref: Read more about 4. Using Form Authentication

Basically I’m trying to know if there is a way to do such Login Form Based Authentication using Postman.

Hi @gotestman,

Looking at this, it seems to just be basic authentication (unless you include the addition of a CSRF token, which I don’t see here)

You can try using Basic Auth on that endpoint to see what you get, and if it works.

Otherwise, you can try doing this authentication and then opening up your developer tools to see how the HTTP request and response look, and then try to mimic that within Postman.

Hi @odanylewycz, Using Basic Auth we can only set username & password but how to specify different endpoints for form login authentication and for the actual POST request?

hey @gotestman,

You’d want to hit the endpoint for getting your auth token in a pre-request script so it runs before your regular request.

The prerequest script would hit the auth server, get a token back, then save the token as a variable that the request would then use.

1 Like

Thanks @allen.helton, I’ve tried to do that in the pre-request script but I wasn’t getting the authentication pass same as I was able to get it via REST-Assured. Could you please provide a sample script for me to try?

What have you tried so far?

It sounds like you had something in place, which part of that isn’t working?

I’ve tried something like this in the pre-request script

    url: pm.environment.get("auth_form_url"),
    method: 'GET',
    header: {
        'Authorization': 'Basic xxxxxxxxxx==',
}, function (err, res) {
    pm.environment.set("access_token", res.json().token);

But getting Bad Request 400 error code.

This is how the source of login form actually looks:

I think part of your problem might be that you’re using GET instead of POST.

Have a look at the blog post I did on this topic.

Thanks for sharing more information.

From what I’ve seen, it doesnt look like we have enough to go off of.

Before proceeding further, it would be worthwhile to change your pre-request script to use a POST instead of a GET Method, as noted by @allen.helton. This is even mentioned in the documentation you referred to:

When the user submits the form, the browser executes a POST request with the information.

If that doesnt work, the best course of action is to investigate the HTTP request in transit. Using Chrome Developer Tools (or whatever browser dev tools), you can do this, and simply record the network traffic before authentication, and then stop it. You should see how the HTTP request is formatted, and that should provide enough insight as to what you need to create within Postman.

In addition to that, I noticed in your original post that you have a request body in JSON:


Would you happen to know how that JSON actually looks? Chances are thats the body you need in your Pre-Request script too, in order to perform your authorization.

With Basic Auth (generally speaking), you dont need to get a token as the token itself if the combination of base64(username + ':' + password) thats used in every request that need authorization. With the access token, your web service should be providing that for you upon authentication at the auth endpoint.

If you can provide those extra details mentioned about, we can get closer to authenticating to your web service :slight_smile:

Thanks for your replies @odanylewycz & @allen.helton.

Yes, I’ve tried POST as well with Basic Auth using the base64 encoded string as mentioned and also body using form-data & x-www-form-urlencoded types in the pre-request script for auth_form request. It is basically the java spring security authentication that I’m trying to do in Postman. After this HTML form based auth request, I’ve to send the actualy POST request with json body to get a json response at a different endpoint.

You’re welcome.

I appreciate the continued explanation for the java spring security authentication. Sadly, I still don’t have enough information to go off of, and I’m not certain how else I can help. My best bet is still to see the request happen in transit for authentication using web developer tools, and that should be enough information for how to format your authentication request in Postman.