Search code examples
oauthoauth-2.0postman

How to persist an OAuth2 token (or use a refresh token) in Postman collections?

The goal

Be able to run a collection without going through the authorization process of every call individually prior to running the collection.

What I've attempted/noticed

  1. When using the OAuth2 authorization helper in Postman, I haven't discovered a method to save a returned refresh token, and thus use it when the access token expires to get a new one. (I've suggested this feature be placed into the helper in the Postman Github Issues.)

  2. I've tried creating a few steps at the beginning of the collection to replicate the helper, but cannot get past the step where user interaction is required to approve/deny (which makes sense as it's a security risk otherwise). However, I can't seem to figure out how to prompt the user either, the way the OAuth2 helper does.

  3. I've taken my expectations down a notch in regards to the refresh token and thought I could simply run the authentication on the first test in the list, saving the access token somehow in a global or environment variable, and then using that token in the all subsequent tests, but I have not found a way to save the access token generated via the OAuth2 helper.

I would love to know if there is a solution to this which results in collections being able to be run with minimal effort put into authorization. This becomes more important with the more tests written in a collection which all use OAuth2 authorization.

Side note: I've been using the Postman mac client, in case there is a different in clients I'm unaware of.

Solution

  • I found an answer here on github.

    First, setup these environment variables:

    • url : (your API endpoint)
    • access_token : (blank)
    • refresh_token : (blank)
    • client_id : (your client_id)
    • client_secret : (your client_secret)
    • username : (your username)
    • password : (your password)

    Next, create a new call which gets an access_token using the password grant_type.

    In my case, I POST to {{url}}/access_token. Sent with this call is the following information as form-data key/value pairs specified in the Body tab:

    • grant_type : password
    • username : {{username}}
    • password : {{password}}
    • client_id : {{client_id}}
    • client_secret : {{client_secret}}

    Sending this POST will result in something like this response:

    {
  "access_token": "kciOMpcmRcGTKfoo",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "DMGAe2TGaFbar"
}

    Then, in the Tests tab, I added the following code to assign two of the environment variables, access_token and refresh_token.

    var data = JSON.parse(responseBody);
postman.setEnvironmentVariable("access_token", data.access_token);
postman.setEnvironmentVariable("refresh_token", data.refresh_token);

    NOTE: I also put a test in there, just to make sure at least this call worked properly as well, although this has nothing to do with the original question:

    var jsonData = JSON.parse(responseBody);
tests["token_type is Bearer"] = jsonData.token_type === "Bearer";

    Now any new call I create can use the access_token generated by that first call as an environment variable like this: {{access_token}}. In my case, I go to the Headers tab in a call/test and add this key/pair:

    • Authorization : Bearer {{access_token}}

    Bonus points: I haven't given an example here, but theoretically I could add a pre-request script which tests the current (non-blank) access_token against the API and, if it fails, get a new one using the given (non-blank) refresh_token. This would make it so I wouldn't have to worry about access tokens expiring.

    That all said, I am not fond of this solution because it requires adding this first access_token call to every sub-folder in my collection because if I want to run a sub-folder only and not the collection as a whole, I need to make sure I have a fresh access_token. Not doing so would mean all tests would fail when an access_token expires. If you never run sub-folders separately in your Collection Runner, you could get away with only creating one access_token call and setting it as the first call to run in the collection.

    But, for that reason, I'm not going to mark this as the correct answer yet. I'm guessing there is a better answer than what I've come up with - ideally one where I do not have to duplicate the same access_token call/test into each sub-folder, but do get the benefit of automated, non-interactive tests with the flexibility of running a sub-folder by itself or the collection as a whole.