This generates the bearer token which is used in every request.
The second step is currently done manually before executing the collection every time. I would like to know if there is way to automate this in postman.
Here’s a link to our learning center that has more info about OAuth 2.0.
You can fill out the auth info for your API under your collection’s authorization tab. Once you authenticate with your provider and have that code, Postman will automatically refresh it before any requests that it’s used in.
Programmatically, that might look something like this:
pm.sendRequest({ // From TwitchAPI - Requires your client id, client secret and the grant type of 'client_credentials'
url: `https://id.twitch.tv/oauth2/token?client_id=${pm.collectionVariables.get("Twitch_Client_ID")}&client_secret=${pm.collectionVariables.get("Twitch_Client_Secret")}&grant_type=client_credentials`,
method: 'POST',
header: {
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded'
}
}, function (err, res) {
pm.collectionVariables.set("Twitch_Access_Token", res.json().access_token); // Update our token
});
Thanks for your help @kevinc-postman
We are able to achieve this currently in our Pre-Request Script and I will try the same using OAuth. But in order to generate the bearer token, it requires a manual step of including a code every time before running the script. Do you have any idea on how to add and automate this via OAuth?
Right, so after authenticating for the first time and generating your token, Postman should be able to automatically refresh it after expiration.
Authenticate with OAuth 2.0 authentication in Postman | Postman Learning Center
Auto-refresh is available when a refresh token is present. If no refresh token is present, the Auto-refresh access token toggle and the manual Refresh option aren’t available. To check if a refresh token is present, select Manage Tokens in the Token dropdown list. If a refresh token is not present, check with the authorization service. Postman can’t refresh the access tokens without the refresh token.
It sounds like you need to send the “code” key\value with the OAuth request.
Therefore generating the code is actually the first step? Not the second?
How is the code currently generated? As that will determine if this aspect can be automated.
Have a look at the Microsoft docs. (Your endpoint might be a different product but the process will be similar). You need to hit the authorize endpoint first to get the code. (Which you can save as an environment variable to reuse in the token request).
Using sendRequest more than once in a pre-request script can be problematic, as Postman\sendRequest is asynchronous in nature. I would recommend searching the forum on how to layer your code so the requests run in the correct order. Otherwise, the token request might run before the authorise request. I don’t have any examples of this as I try to avoid this situation at all costs.
Yes. I guess I didn’t put my question the right way. This code needs to be passed on for the POST request along with the client id and secret in order generate the bearer token. And this code expires in a few minutes.
ok, I don’t think that will work as the code grant_type requires you to use the browser to login with your credentials. (It’s all coming back to me now).
I have a few apps that require that but also allows other methods, so I use a grant_type that doesn’t require user interaction.
I’m using Postman for testing, and as the authentication is managed by Microsoft, I’m not generally that bothered about the authentication method, I’m interested on the page after this (or the response to the API).
I would test the code grant_type manually, and then use another method for more automated tests.
As ours are mainly internal apps, there is less of a security risk in having an application with more than one grant type.
The web application on the front end uses the code grant type so it secure from that point of view.
The code grant type is more secure than “password” though, even though they both generate the same bearer token.
Thanks @michaelderekjones for your response. I will investigate if there is a possibility of using other another method as an alternative to code grant_type.
Great question,
