Postman OAuth 2 missing parameter "code" with OpenID Connect

Hi all,

I’m using OpenID Connect (Keycloak, Okta) for authentication and configure Postman to obtain the access token via OAuth 2.0 for testing. My Postman OAuth 2 configuration is in the following screenshot:

postman-oauth1180×1679 106 KB

Postman opens the browser for authentication, then got called back with OIDC grant code. Nonetheless, the subsequent call to get the access token via the token endpoint fails due to missing parameter "code".

postman-oauth-response1095×769 85.7 KB

I have tried with a random global variable for code but have not succeeded.

I’ve searched and found a similar question but no solution yet.

I found anothe relevant question here that shows the request body with the parameter code but mine does not have it.

Any hints or pointers are truly appreciated.

Thanks,
Alex

The Authorization Code flow has two elements.

The first action is to hit the authorize end point and retrieve the authorization code.

This requires user interaction and is why the browser is needed.

Usually, you can mimic the authentication flow in a pre-request script using sendRequest() but because of the required user\browser interaction, the authorization code grant type is one that you can’t re-produce in a pre-request script, so the Postman Authorization helper is doing the heavy lifting for you.

The next action is to swap the returned authorization code for the access token, which can then be used in subsequent requests to your API.

It looks like its the second step that is failing.

Do you get to see the request (and response) for the request sent to the authorize end point (to see if the code is being returned correctly).

I can only see the token request in your screenshot.

I don’t have an application with this grant type to test.

The following blog post explains the process better than I can.

OAuth 2.0 Authorization code grant with Postman, Part 1 - DEV Community

Hi Mike,

many thanks for the prompt response, appreciate that. After further research and experimentation, I’ve figured out the issue with my settings.

When I checked on Authorize using browser as in the screenshot, the greyed out callback URL is https://oauth.pstmn.io/v1/callback. When I un-cheked it, the call back URL will be https://oauth.pstmn.io/v1/browser-callback. In the latter scenario, Postman uses the built-in browser (Chromium-like) for OIDC authentication, and it’s successful with the access token.

I’m not sure why it does not work in the former case, i.e. “Authorize using browser” which opens the default browser. The callback is

https://oauth.pstmn.io/v1/callback?session_state=0d9fea69-0207-45e3-9946-c31a21ad2e06&iss=https%3A%2F%2Flatitus.koala-crocodile.ts.net%2Fkeycloak%2Frealms%2Fdev&code=87504f70-3011-4ed6-a69c-1dd1bc642cff.0d9fea69-0207-45e3-9946-c31a21ad2e06.59c0a344-d8a8-479e-a566-8b3b246e5fed

There is a code included in the callback, but it seems Postman does/can not pick up?

Edited: It might be related to my environment, an Ubuntu box. I recall I got some issues in the past with setting up Postman so that, the browser callback URL will trigger it.

Here is my Postman.desktop for reference purpose. The parameter %U, IIRC, is based on some other Postman users’ suggestions.

[Desktop Entry]
Type=Application
Terminal=false
Exec=/home/alext/tools/Postman/app/Postman %U
Icon=/home/alext/tools/Postman/app/icons/icon_128x128.png
Name=Postman
Categories=Development

Cheers,
Alex

Digging further into Postman logs, I see something like this

[283795][1729808679984][main][info]["ProtocolHandler~handleOpenUrl: postman://app/oauth2/callback?session_state=0d9fea69-0207-45e3-9946-c31a21ad2e06"]

Does it seem like Postman receives a broken URL from the browser via the callback?