Hi all,
Iāve used Postman a few times to get and remove account information from a parter. When I went in this morning to do it again, My Bearer Token worked for to retrieve data, but not to remove it.
Iāve cleared cookies and reset the token a number of times and canāt figure out why Iām getting an ā401 Unauthorizedā error for the POST, but not GET.
Is there anything else I can check?
Hi @asrch
Are you able to share any screenshots so we can see what you are submitting within your call?
For security reasons, I need to obfuscate a few things, but hereās the one that worked:
This is the one that did not:
The API key and Tokens match. Also, under āAuthorizationā I used to be able to reset the token as needed, but I cannot find that option anymore either.
Iāve since added the āContent Typeā to the failing request.
What auth options are set in your āAuthorizationā tab (for both)?
Also, looking at your screenshots, your āGETā has something set inside the āSettingsā Tab, whereas your āPOSTā does not. Is this intentional?
Itās like this now for both requests. Earlier on Friday, it was giving me the option to reset the token along with other options (sorry no screenshot for that). But I cannot find that option anymore.
For āSettingsā I just reset to default, that cleared the alert.
Yes, thatās it. I would just choose the button at the bottom and it would generate a token that was good for a certain number of hours (I think - Iād always have to reset it when I logged back in. I changed the ātypeā and see the options again, but now am getting authorization errors when I try to get a new one.
I didnāt even realise that you could set the authentication to OAuth.
The way Iāve been doing this is by having a sendRequest as a pre-request script.
LOL. Iāll have to look at this at some point.
Iām wondering if I accidentally removed my credentials. What is supposed to go in "Client ID and āClient Secretā? The API Key? If I try to get a new code, I get this error:
Also, is the āAuth URLā and āAccess Token URLā supposed to be the same as the api URL?
As far as I am awareā¦ The auth URL will be the URL the information is sent to, to auth the user before being redirected back to the main URL.
The client secret and client ID will be information tied to the API (not the API key, kind of, more like a username and password for generating tokens) ā¦ it is used specifically for auth.
I donāt have loads of knowledge on Oauth etc. but hopefully, that helps? ā¦
This diagram also might help explain the flow;
The client_ID is basically the application you are connecting to and needs to come from your administrator.
The client_secret is related directly to the client_ID and also needs to come from your administrator.
These are usually sensitive data and should be setup as āsecretā environment variables, so they donāt end up in your code repository (or Postmans) or in the code (Pre-request scripts or Tests tab).
The following is an example of using sendRequest with a pre-request script that authenticates to Microsoft via OAuth2. This returns a token_ID that gets used as the BearerToken for the next request which just uses the URL of the application home page. It basically bypasses the Microsoft login as we donāt really want to test that part of the application.
In the screenshot posted by @w4dd325 , I think the Auth URL is the URL for the API you want to connect to, and the Access Token URL is the token provider (like Microsoft in this example).
pm.test("Check for collectionVariables", function () {
let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
vars.forEach(function (item, index, array) {
console.log(item, index);
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.undefined;
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.empty;
});
if (!pm.collectionVariables.get("bearerToken") || Date.now() > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
pm.sendRequest({
url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
method: 'POST',
header: 'Content-Type: application/x-www-form-urlencoded',
body: {
mode: 'urlencoded',
urlencoded: [
{ key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
{ key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
{ key: "username", value: pm.collectionVariables.get("username"), disabled: false },
{ key: "password", value: pm.collectionVariables.get("password"), disabled: false },
{ key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
{ key: "grant_type", value: "password", disabled: false },
]
}
}, function (err, res) {
if (err) {
console.log(err);
} else {
let resJson = res.json();
pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
pm.collectionVariables.set("bearerToken", resJson.id_token);
}
});
}
});
One query I have. Are you sure you have permissions to POST to the API. If the GET request is working, then it might be a permissions thing.
Thank you - Iāll dig further into this. Iāve also reached out to the administrator. I know my permissions havenāt changed; I ran both requests just a few weeks ago and had no issues, and Iām the only one whoās worked on this project.
Does the GET request still work? Or has that stopped working now as well?
No - neither work now but Iām sure my token is expired. Unfortunately it wonāt give me a new one, so I think in all my messing around my authentication got āpoochedā. I am getting a new secret and will try starting over at square one.
UPDATE: I was able to get the authentication sorted out and the GET request is working again. I did learn that our partner is having issues that prevent the POST function at this time.
Thank you all for your support!