Using Postman to test IdentityServer4 OAuth Authentication Code Flow

ben.cowling · December 10, 2019, 12:43pm

I’m trying to use Postman to test the Authentication Code Flow within IdentityServer4 - but it doesn’t seem to work correctly. I’m not sure if this is IS4 or a Postman issue.

Using the demo instance (https://demo.identityserver.io/) and the SPA client below

new Client
{
    ClientId = "spa",
    ClientName = "SPA (Code + PKCE)",

    RequireClientSecret = false,
    RequireConsent = false,

    RedirectUris = { "https://notused" },
    PostLogoutRedirectUris = { "https://notused" },

    AllowedGrantTypes = GrantTypes.Code,
    AllowedScopes = { "openid", "profile", "email", "api" },

    AllowOfflineAccess = true,
    RefreshTokenUsage = TokenUsage.ReUse
},

I request the then login with either bob/bob or alice/alice and when I click the Login button it just redirects back to the login screen.

I was expecting the access token to be retrieved.

GabeFC · December 12, 2019, 11:47pm

My organization uses an IdentityServer4 application for authentication and we had successfully used Postman for months. As of yesterday we’ve been experiencing the same behavior.

I think it’s because some specific cookies aren’t being set in Postman for some reason. I’m pretty sure the call to HttpContext.SignInAsync() in the POST AccountController.Login() method sets the cookies which verify the user is authenticated. At that point the user should be redirect to the Consent page, which is a page that require authentication. Since the cookies that verify authentication aren’t set, the Consent page redirects the user back to the Login page, which is why it seems like the page is simply reloaded.

When I’ve attempted to access the IdentityServer4 Content page manually in Chrome, I’m redirect to Login, and after successfully Logged in, redirected back to Consent. Checking Chrome dev tools, I’ve verified that the cookies (idsrv, idsrv.session) are set.

This leads me to believe the issue is with Postman specifically.

waardenburj · December 18, 2019, 8:07am

Same problem here. I am sure this worked a few weeks ago, but when I tried to use it this week, I was returned to the login screen after logging in successfully. With a colleague, it works fine. I have used the instructions from https://medium.com/all-technology-feeds/testing-your-asp-net-core-webapi-secured-with-identityserver4-in-postman-97eee976aa16.

ben.cowling · December 18, 2019, 9:45am

This looks to be caused by by setting the SameSite attribute on the authorisation cookie to None. As Postman is using Chrome 66 this will reject any cookies that have this set to None.

If you don’t set the SameSite attribute for Postman requests (i.e. via User Agent detection) then it should work.

This link gives more details on incompatible clients:
https://www.chromium.org/updates/same-site/incompatible-clients

bastienv · February 29, 2020, 3:01am

Can we have some guidance from Postman team? It is 3 months now and it seems they don’t care. This issue is imporant.

ozkankaa · April 14, 2020, 7:55am

Is anyone find a solution ?

shoneenjvv · September 3, 2020, 8:37am

Also experiencing the same issue. Waiting for solution.