I have a website (reactjs) and a back-end server (spring-boot). Okta is integrated in the UI to do login, and then the back-end server is validating the token before processing requests. It’s all working great.
Now, I want to be able to test the back-end via Postman rather than thru the UI all the time, so I need to figure out how to authenticate via Postman. I created a dummy user account in Okta that I can use for this testing, I also set up an Access Token for use with Postman (not sure I need this, but I’m grasping at straws at this point).
I’ve installed numerous Okta Collections in Postman, and I have the “okta environment” set up, and I can make requests just fine, for example, in the Authentication Collection I can use the “Primary Authentication” request and it injects my username/password from the “okta environment” and I get a successful response back with a sessionToken.
I can copy that value into the “okta environment” and even use the Session Collection to “Create Session with Session Token”, which also returns a valid response, and even includes a “cookieToken”.
I feel like I’m one step away from figuring this out … but I’m baffled. How do I get from here to the normal “bearer token” that I see when I log into my web app?
Let me see if I understand your problem correctly -
Assuming that you’re using the Authorization code flow,
You have a setup with front-end doing the login and getting the access token -> /authorize endpoint called, which returns your an authorization_code
The back-end then exchanges the code to get back and access_token
You pass the access_token to your spring-boot back-end which validates the token and processes the request
You want to validate the back-end without front-end dependency
With postman, the only difference from the above flow is that you call /authn endpoint first to get the sessionToken
Now you should pass the sessionToken to the /authorize call which should return you the authorization code in the URL
Then you call the /token endpoint with the code and get back the access_token
Once you have this token, you can test your back-end using this.
ok, I’m going to admit that I gave up. vijet’s answer above helped me get closer. Something is wrong with my /authorize call, probably related to Interceptor (which I’ve never used).
I was trying to do this in the Native Postman App, not the Chrome Web Browser Extension, which makes Interceptor a bit funky. It looks like it’ll proxy HTTPS, but I haven’t tried that yet (Charles still works for me).
Anyway, for now I’m just grabbing the bearer token from my browser session and copy/paste it over to Postman and it works fine until it times out, but that’s good enough for now.
If anyone manages to get this working, I’d love a step-by-step instruction manual.
Hey @tphilip! This is unfortunately harder than it should be in Postman. The reason it’s tricky is because it has two parts. How it normally works is (assuming you are using the implicit flow for your single-page app):
You construct an /authorize URL and redirect your browser to it
Okta logs the user in, and redirects back to your callback URL with tokens
Postman is great at handling single requests/responses, but it’s tricky to capture the above. You can use an interceptor but to be honest, I’ve never gotten that working properly.
I built a small tool to make this much easier to do: https://oidcdebugger.com
Here’s how to use it:
First, configure your Okta app (temporarily) to allow redirects back to https://oidcdebugger.com/debug:
Anyone got this working, my use case is very similar, want to fetch access token using resource owner username/password and then use that in end to end test cases.
End to end test cases will be run in the pipeline so has to be non interactive.
I am using PKCE for client authentication, any help will be appreciated.