Postman Authentication 2.0 with Google - how does Postman retrieve the "code" from Google

I am using Postman to send an authenticate message to Google. I set up Postman with all the necessary fields and I send the request. When the response comes back, I look at the log to see the request body and I see returned values for grant_type, code, client_id, client_secret, and redirect_uri.

The value that is showing for code is a value that google returns on a call to https: //accounts.google.com/o/oauth2/v2/auth (I added a space because I wanted the text of the link to show and not the link’s title) but I do not see Postman posting to that url.

What does Postman post to and what does Postman send in order to retrieve the code back from Google?

I’m not quite following. Perhaps you can include screenshots (redacted as appropriate).

Postman will post and send what you tell it to.

The Google API will determine what is returned.

In the console log, you should see two requests when using the built in auth.

The first one will be the auth request to the Google OAuth end point that you configured in the auth settings. Have a look at the request to see what headers and body Postman sent. They should align with the details you configured in the auth settings. That should hopefully answer your question.

The following code is doing something similar to authenticate to Microsoft, but using a pre-request script.

Hopefully, the logic is a bit easier to understand.

pm.test("Check for collectionVariables", function () {
    let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
    vars.forEach(function (item, index, array) {
        console.log(item, index);
        pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.undefined;
        pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.empty; 
    });

    if (!pm.collectionVariables.get("bearerToken") || Date.now() > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
        pm.sendRequest({
            url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
            method: 'POST',
            header: 'Content-Type: application/x-www-form-urlencoded',
            body: {
                mode: 'urlencoded',
                urlencoded: [
                    { key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
                    { key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
                    { key: "username", value: pm.collectionVariables.get("username"), disabled: false },
                    { key: "password", value: pm.collectionVariables.get("password"), disabled: false },                    
                    { key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
                    { key: "grant_type", value: "password", disabled: false },
                ]
            }
        }, function (err, res) {
            if (err) {
                console.log(err);
            } else {
                pm.test("Status code is 200", () => {
                    pm.expect(res).to.have.status(200);
                });
                let resJson = res.json();
                pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
                pm.collectionVariables.set("bearerToken", resJson.id_token);
            }
        });
    }
});

My understanding of Google Oauth2.0 is that I need to send a client ID, a redirect url, a scope, and a response type (should contain the word ‘code’) to Sign in - Google Accounts. The response back will be an authorization code. This authorization code (along with the client ID, client secret, grant_type, and redirect url) is then sent to https://oauth2.googleapis.com/token to exchange the authorization code for an access token. The response back from https://oauth2.googleapis.com/token will be an access token.

I used the Postman Authentication tab and filled in the requested fields. This is what the screen looks like before I submit the request:

figure 1a1342×701 118 KB

When the response comes back, Postman displays a popup with the access token.

figure 4806×458 55.4 KB

When I look at the log (I cleared the log before sending in the request), I see 1 entry

When I expand the request body and response body, this is what I see:

figure 31778×773 195 KB

So, where does Postman get the value in the ‘code’ parameter that is sent to https://oauth2.googleapis.com/token?

I think that code is associated to the authorization_code grant type.

I don’t think it will exist for other grant types. (Like client_credentials or password).

It should be returned in the first request when the client logs in.

I haven’t tested this type of authorisation, but I would have expected to see two requests in the console log. It looks like its not logging the request to accounts.google.com/o/oauth2/auth in the console (and the popup is only showing certain bits of info).

I would expect the code to be in that response somewhere.

Yes, the ‘code’ is returned when grant_type = authorization code. I have been unable to send in a request to retrieve the ‘code’ but evidently Postman is able to. I had hoped to see the requests in the log, but as you can see, its not there for some reason. As for the popup, the pieces of data it is showing is the data that comes back from oauth2.googleapis.com/token.

And in addition, I need to know how to send the initial request because the response also contains the refresh_token which I will need going forward since the initial access_token expires after a preset duration of time.