Salesforce OAuth2 id token

I am evaluating switching from Insomnia to Postman and trying to just port some examples to test them out.
But I am getting stuck on getting the id token from the Salesforce OAuth2 setup.

I have it set up and I can get the access token, but how do I get the id token?

Insomnia makes it easy - I just have to specify the response type ID and Access Token and I get it.

But it is absolutely unclear how to do that in Postman. I have seen screenshots where I can select what type of token I want to use, but those settings never show up in my Postman. I am using the latest version on MacOS.

Here are my Authorization settings:

Type: OAuth2
Add auth data to: Request Headers
Header Prefix: Bearer
Grant type: Implicit
Callback URL: {our callback url}
Auth URL: {our auth url}
Client ID: {our client id}
Scope:
State:
Client Authentication: Send as Basic Auth header

I can get the access token, but I also need the id token (I need to decode it, to get information about the user from it).

What do I need to change to get both?

Hey @rkahnert :wave:

Welcome to the Postman Community! :postman:

I’m not sure how that’s done in Insomnia to be honest, never tried it. Is this what you’re looking for?

If you’re looking for the fields where you would add those details? In the Auth tab, selecting the desired type will display the input fields that relate to that one.

I am able to do the OAuth2 authentication, that’s not the problem.
But I am no able to get the ID Token.
In Insomnia I can select as a response type to get the ID and the Access Token and I can use the ID Token as the bearer token in the header of the request.
This doesn’t seem to be possible with Postman, at least as far as I can see.
If it is possible, can you please let me know how?

You can add the response_type query parameter in the advanced settings.

image

1 Like

I tried that, the request worked, I have an access token.
But I don’t see an ID Token anywhere. How do I get it and use it in my requests as BearerToken?

Once you have clicked on the “Get New Access Token” button, you should be able to use the “Available Tokens” drop down in the “Current Token” section which is at the top of the authorisation helper.

image

You can also check the console log. The auth request should also be there.

Check that the response includes both tokens as you would expect.

I can use the Available Tokens drop down, but it contains only the Access Token. And the redirect URL that contains the tokens is not logged in the console.

I don’t have an application that uses this scope to test this.

But as far as I’m aware, the auth requests should be included in the console.

Looking at the SalesForce docs, to get an ID token, you also need the “openId” scope and the nonce parameter.

OAuth Tokens and Scopes (salesforce.com)

Some other useful links.

OAuth Authorization Flows (salesforce.com)

OAuth 2.0 implicit grant type

I don’t really use the authentication helper, as I prefer using pre-request scripts to authenticate. But I appreciate that you can’t use pre-request scripts with the implicit grant type which requires browser interaction.

Therefore I just did a quick test with the authentication helper, and I’m now not sure if its meant to show the underlying auth request in the console.

Which means its not easy to work out if you are getting both tokens or not, or if its sending all of the expected parameters.

The combination of scope, response type and nonce finally worked.
Thanks for your help.
OK … now that I figured that out I have another ask.
I need both Access Token and ID Token. Can I access both in the request?
In Insomnia this is super easy. Both are accessible as variables and can be used anywhere.

@danny-dainton Do you know if we have access to the underlying auth request to surface both tokens at the same time?

Are they saved anywhere, or available with the pm.request() functionality?

Hmmm … is there a way that I can choose to always use the ID Token? Every time I refresh the token I need to select ID Token as Token Type.
I think Insomnia is a lot more flexible here by storing Access Token and ID Token as variables.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.