OAuth isn't passing to the request in CLI

I am attempting to run a request in postman cli, but I continually receive a 401 Unauthorized response. The request works consistently when run through the postman app, but fails every time when run through the CLI.

Anyone have an idea as to why this is?

Hi @nategerman. Welcome to the Postman Community!

Can you share a screenshot of your request header tab?

Sure can.

You appear to be using the authorization code grant type, which requires user interaction.

I don’t use the CLI, but I can’t see how this grant type would be possible.

That’s the point of the Authorization tab. Once it is set up, it is supposed to handle the authentification for the request.

The authorization helpers can do a lot, but they can’t interact with the browser. All they do is open the browser for you to enter the appropriate details.

When you run this in the desktop\web app, doesn’t it pop up in the browser for you to enter your username and password before it then provides the authentication token?

In your screenshot, you have the call back URL and “authenticate via browser” selected.

Have a look at the following…

Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Learn

As far as I’m aware, the auth code grant type requires user interaction, so you will not be able to automate this in the CLI or in Newman.

Personally, I would change the grant type for something that can be automated, and then have a few manual tests for testing the auth code flow.

We use Microsoft for authentication on a few projects, and the premise is that we aren’t really testing the hosted Microsoft service, but the application we land on after we authenticate.

Therefore we have the grant type set on the non-production systems to also allow another grant type like “password” to enable us to automate the authentication and then have some manual tests in PRE-PROD and PROD to test the auth code flow.

If you are using OpenID on top of OAuth2, you can check to see what grant types are configured by looking at the well known configuration.

For example…


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.