4

I am using POSTMAN to test OAuth2.0 AuthCode flow for MSGraph. Following are details of the same:

AuthCode URL : https://login.microsoftonline.com/{tenant_id}/oauth2/authorize

AccessToken URL : https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

When i did some research to see how to test OAuth2.0 using POSTMAN. I was able to find some threads which helped me to generate the access token and hit the user profile api to get the user details as shown in the screenshot below:

enter image description here

enter image description here

But, i have a weird requirement where in, i would like to generate an AuthCode in a separate request, then use it in another request to get the Access Token and then use the access token to get the user details in a separate request.

Can someone please help me with the Above requirement.

FAIZAN
  • 271
  • 1
  • 6
  • 16
  • What do you mean by separate request? – Carl Zhao Sep 21 '20 at 02:34
  • Usually we use the auth code flow to obtain a token to access the graph api requires the following three steps: 1. Request an authorization code 2. Request an access token 3. Use the access token. Each step is a separate request. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow – Carl Zhao Sep 21 '20 at 02:54
  • @CarlZhao - Separate POSTMAN requests. Yes i agree, but when you google "how to test OAuth2.0 using postman" - you find that, its a single request which should be the user profile URL, and in the authorization tab, we need to select Type as OAuth2.0. I have updated the question and attached the screenshot of the same. – FAIZAN Sep 21 '20 at 07:02
  • 1
    Obtaining the code is an interactive process, which requires you to log in as a user, and requires you to execute the request in the browser: `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read &state=12345` – Carl Zhao Sep 21 '20 at 07:18

2 Answers2

4

You can first request the authorization code in your browser:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=https://localhost:4500/web/completeoauth/ms
&response_mode=query
&scope=https://graph.microsoft.com/mail.read
&state=12345

enter image description here

Then use the authorization code to request the token in postman:

enter image description here

Update:

If you don’t want to use a browser, just don’t check the Authorize using browser checkbox, and then set the Callback URL to your Redirect URIs. When you request a token, it will prompt you to log in.

After you log in,it will return the access token directly to you.But you will not see the code, this is because the system directly exchanges your code for token and returns it to you.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks Carl for your response on this. I have tried this and was successfull, but is there any way that i can get the AuthCode via postman request without browser intervention? – FAIZAN Sep 21 '20 at 08:41
  • @FAIZANAHMEDKHAN If you have any questions, I will reply to you as soon as possible. – Carl Zhao Sep 22 '20 at 10:35
  • @FAIZANAHMEDKHAN, there are no non-interactive ways to get the AuthCode with Microsoft Personal Accounts[[1](https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/msa-oauth?view=odsp-graph-online#supported-authentication-flows)][[2](https://stackoverflow.com/questions/66787193/onedrive-api-and-azure-active-directory-setup-to-upload-as-personal-account/66792238#66792238)] :/ – Augusto Icaro May 08 '21 at 21:10
0

In Postman, in the test tab of the first request, you need to store the AuthCode in an environment variable: pm.environment.set("authCode", authCode).

You then can use that in the pre-request script of the next request via pm.environment.get("authCode") or in the headers or as url parameter: {{authCode}}.

Christian Baumann
  • 3,188
  • 3
  • 20
  • 37
  • 1
    Hi Christian, Thanks for your response, I am trying to do a separate Authorization request from POSTMAN as follows: GET :: https://login.microsoftonline.com/{tenant_id}/oauth2/authorize I get an html as response, with the following title : "Sign in to your account" So i would like to know, where i need to enter my credentials in order to get the Authorization code. – FAIZAN Sep 21 '20 at 07:01