Using postman to get Access Token

Just to be clear, this is not an Okta specific error. Seems like an issue with you request code.

I haven’t tested this code but I assume your request should look something like this -

const headers = {
  'Accept': 'application/json',
  'Authorization': "Basic " + new Buffer(config.auth.id+config.auth.clientSecret).toString('base64'),
  'Cache-control': 'no-cache',
  'Content-Type': 'application/x-www-form-urlencoded'
}

const body = {
  'grant_type': 'refresh_token',
  'redirect_uri': encodeURIComponent(settings.redirectUri),
  'scope': 'openid profile email offline_access',
  'refresh_token': req.user.refresh_token
}

const options= {
  url:settings.orgUrl + '/oauth2/default/v1/token',
  headers: headers,
  body: JSON.stringify({body})
}

request.post(options,function(error,response,body){
  console.log(body);
})

Private information hidden but when this request is sent with Post Man to a Native App with Resource Owner Password and User Client Authentication both enabled, I get the following results. What’s wrong with this request

Hi @SuperJonotron,

I was able to get the password grant for native application working.
This is what I did -

  1. Create a native application from okta dashboard
  2. Change the “Client Authentication” setting from “Use PKCE (for public clients)” to “Use Client Authentication”
  3. Import the API Access Management(OAuth 2.0) postman collection from here - https://developer.okta.com/reference/postman_collections/
  4. Open the “Get Access Token with Resource Owner Password Credentials” postman request
  5. Update the values of ClientID and ClientSecret into username and password in Authorization section
  6. Update the values of the username and password for the user in your okta org (who is assigned the native app) into the body section
  7. Update the redirect_uri value in the body and click Send.

What version of postman are you using? I’m using 5.1.3
I don’t think you need the Content-Type header
Ensure that the user whose credentials you’re using to get the token is assigned the native app.

Updating to the latest postman has seemed to solve the issue keeping everything else the same. Attempting to figure out exactly what the raw HTTP request content looks like since this new Post Man version does not make that easy to see and when doing it outside of postman based on docs I get the same errors that Post Man was returning before the update.

Hi Team,

Is this feature still supported?
I am trying to use above where need to get the access_token using above method. We have tried using OKTA sign in widget though due to custom (convulated) login facing dead end to it.

Any help will be apriciated.

Hi there,

im currently running into similar issues. Our use case is the following:

We have a working setup, in which a mobile app uses AuthorizationCode + PCKE Flow to authenticate with a custom okta authorization server. The tokens sent from that mobile app are verified on the backend using okta-jwt-verifier.

Not we’d like to be able to “impersonate” our own accounts within Postman, to be able to make authenticated calls to our api. To keep concerns seperated, we added an additional client application that uses clientId + clientSecret to authenticate and use the " Get Access Token with Resource Owner Password Credentials " -Postman Request from your “API Access Management”-Postman Collection.
With that, we are able to fetch an access Token by supplying username and password.

When this token shall be verified by our servers, we run into problems though, since the “audience” claim of that token is set to the new postman client application, and the backend onl

We are having trouble allowing multiple audiences (the native mobile app thats already in place, and the postman-App that was recently added) as allowed audiences in our custom authorizaton server.

Since the label on the relevant field is called “Audience”, we wonder if multiple audiences are supported by Okta? What would be the Syntax for adding multiple audiences in a custom authorization server? Can mutliple audiences be verified by okta-jwt-verifier?

Thanks in advance,
Tobi

Hi @TobiGe

Multiple audiences can be used in Okta under the same authorization server using the Token Inline Hook feature.

Here’s an example response to set a custom audience for an access token.

{
    "commands": [
        {
            "type": "com.okta.access.patch",
            "value": [
                {
                    "op": "replace",
                    "path": "/claims/aud",
                    "value": "new_access_token_audience"
                }
            ]
        }
    ]
}

This feature requires API Access Management enabled on your Okta org. If you have this feature, please feel free to send an email to support@okta.com and request CALLBACKS and API_ACCESS_MANAGEMENT_EXTENSIBILITY features to be enabled on your org in order to use the Token Inline Hook.

Here’s an alternative to postman that I’ve found works relatively well.

Hi,

I am able to get the access token using refresh token through C# code,
I tried the same with postman and got the below error
{
“error”: “unauthorized_client”,
“error_description”: “Browser requests to the token endpoint may only use the authorization_code grant_type.”
}

I tried with code and got success, able to get the access token.
Please find my below code.

using (var client = new HttpClient())
            {
                List<KeyValuePair<string, string>> postBody = new List<KeyValuePair<string, string>>();
                KeyValuePair<string, string> obj1 = new KeyValuePair<string, string>("grant_type", "refresh_token");
                postBody.Add(obj1);
                KeyValuePair<string, string> obj2 = new KeyValuePair<string, string>("redirect_uri", RedirectUri);
                postBody.Add(obj2);
                KeyValuePair<string, string> obj3 = new KeyValuePair<string, string>("scope", "offline_access openid ");
                postBody.Add(obj3);
                KeyValuePair<string, string> obj4 = new KeyValuePair<string, string>("refresh_token", RefreshToken);
                postBody.Add(obj4);
                KeyValuePair<string, string> obj5 = new KeyValuePair<string, string>("client_id", ClientId);
                postBody.Add(obj5);

                using (var content = new FormUrlEncodedContent(postBody))
                {
                    content.Headers.Clear();
                    content.Headers.Add("Content-Type", "application/x-www-form-urlencoded");

                    HttpResponseMessage response = await client.PostAsync($"{OrgUrl}/oauth2/{AuthorizationServerId}/v1/token", content);
                    Debug.WriteLine(response.Content.ReadAsStringAsync().Result);
                    var obj = JObject.Parse(response.Content.ReadAsStringAsync().Result);

            }

            }

Hi @sbkrishnan25

Can you provide a cURL example of the request from Postman, by using Code section from under the submit button? Please remove any authorization credentials from the cURL generated.

Hello everyone, i wanna use the client credential flow and test with postman to get an acces token :

headers : Accept : application/json
Authorization : with my clientid:client_secret encode as base64 and
i tried all type without succes

and got this error…

And if i use like this :

i got this error :o

If you can help me , thank you very much !

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.