Needing help with Oauth 2.0 and session based authorisation

Hi everyone, I just got started with Postman, and I already managed to make some requests to unprotected endpoints of my app.
For some endpoints, my app needs to make requests to an external API, in this case, the project management app Asana.

Usually, my auth flow goes like this:

  • My app redirects the user to Asana to start the oAuth 2.0 process.
  • After authentication, Asana sends the user back to my app to the callback-endpoint, with an authorization code in the URL.
  • That callback-endpoint in my backend will be able to retrieve the the authorization code from the request URL.
  • The backend will exchange the authorization code for an access code against Asana’s oAuth API.
  • On success, the backend will store the access code (and refresh code) in a server session and set a session cookie in the user’s client.
  • Having a valid session authorizes the user against my API and the access codes in the session can be used for future requests to my API that involve my backend requesting external data from the Asana API.

Now I would like to replicate this in Postman, authenticating against Asana and receiving the cookie from my backend that authorizes the user both against my API as well as against Asana through the access codes stored in the session associated to the cookie.

I managed to do the standard oAuth 2.0 flow in Postman, which gives me the access token. But I don’t need that token, I need to go through the endpoint on my backend that gives me the cookie.

Which flow do I have to follow and can anyone perhaps suggest me a tutorial that would match the process I have going on here?

Thanks in advance!

Hey @nbsuh :wave: Welcome to the Postman Community :tada:

Checking on Asana API documentation, it says as:

  1. The application can now use the Token Exchange Endpoint to exchange the code, together with the Client Secret, for a Bearer Token (which lasts an hour) and a Refresh Token (which can be used to fetch new Bearer Tokens when the current one expires).
  2. The application can make requests of the API using this Bearer Token for the next hour.

So I believe that you do need to use Bearer Token to be able to send API request, isn’t it?
There’s “Using Postman” page from which you can import sample collection to your workspace by clicking on “Run in Postman” button, which should help here :wink:

Let me know if you have further questions! Happy to help!

Hi @taehoshino, thank you for your reply!
The token exchange with Asana is working fine, it’s all handled by the backend.
After the user has authenticated against Asana, Asana will redirect the user to my app with said code. The backend then does use that code to get the Bearer/Authentication Token from Asana (as well as the refresh token). But the important part is that those tokens will only be stored server side in a session (in my backend), and of course, that session is associated with a session cookie being sent to the client.
What I’m struggling with is establishing said session. Usually, after the authentication in Asana, the user would be redirected to my.app/oauth, which is the endpoint which would retrieve the code from the request. But in Postman, the callback URL is https://oauth.pstmn.io/v1/callback in the default oAuth 2.0 Flow. I tried putting my /oauth endpoint there, but then I got errors saying the request uri doesn’t match the one the code was requested with.

The usual flow for a user would be:

my.app/auth --(redirection to Asana)–> Asana authentication --(redirection to my app with a code in the url params)–> my.app/oauth --(Backend uses the code from the URL to retrieve bearer token and sets session cookie to client, then it redirects to the home view)–> my.app/home

So I basically need Postman to walk through these steps up to the point where it gets the session cookie. But I’m not sure how to do that. I hope that’s even possible.

Hey @nbsuh,
Thanks for sharing the detailed steps. In that case, Auth Helper should not be used as it assumes Postman as a client. But in your case, callback URL is your backend endpoint and not Postman.

So what you would need is:

  1. Create a request to authorization endpoint to receive auth code (you can them save the code as environment variable so that you can use it in the token request)
  2. Create another request to token endpoint and pass the auth code from the previous request (and specify your backend endpoint as redirect_url) and receive token
  3. Your backend can handle token and create session etc

I hope this helps! :wink:

Hi @taehoshino,
thanks for your continued effort to help me.
So I am trying to make request to /auth, which redirects to the authorization endpoint. But before I receive the auth code, I need to authenticate against Asana, which means I would have to log in to Asana. But how do I do this? With the Auth Helper, there was that Popup window where I could enter my login for Asana. But this doesn’t apply when I’m making a normal request. I can look at the response preview and I’m seeing the Asana login for there, but that doesn’t work in the preview/doesn’t allow me to send my login data to Asana.
I’m still very confused about this…
I was so happy when I got oAuth to work in my application in general, but I still can’t wrap my head around how I can use it with Postman. I’m not sure if the oAuth implementation in my app is weird or something like that, but as far as I understood, it’s recommended to not give the frontend client the access codes, so I wouldn’t know how else I’d do it.

Thanks again for your support and sorry for being so inept with this :sweat_smile:

Sorry for not being clear - for auth request, you would need to copy and paste into your web browser in order for user to be able to log in etc (as Javascript cannot be executed from response body in Postman - the following is an example for PagerDuty)
Screen Shot 2021-07-26 at 11.27.46 am

This YouTube video walks through the steps to send auth request and get auth code from web browser: Postman and the Xero API Pt 2 - YouTube

I hope this helps!