Private information hidden but when this request is sent with Post Man to a Native App with Resource Owner Password and User Client Authentication both enabled, I get the following results. What’s wrong with this request
What version of postman are you using? I’m using 5.1.3
I don’t think you need the Content-Type header
Ensure that the user whose credentials you’re using to get the token is assigned the native app.
Updating to the latest postman has seemed to solve the issue keeping everything else the same. Attempting to figure out exactly what the raw HTTP request content looks like since this new Post Man version does not make that easy to see and when doing it outside of postman based on docs I get the same errors that Post Man was returning before the update.
Is this feature still supported?
I am trying to use above where need to get the access_token using above method. We have tried using OKTA sign in widget though due to custom (convulated) login facing dead end to it.
im currently running into similar issues. Our use case is the following:
We have a working setup, in which a mobile app uses AuthorizationCode + PCKE Flow to authenticate with a custom okta authorization server. The tokens sent from that mobile app are verified on the backend using okta-jwt-verifier.
Not we’d like to be able to “impersonate” our own accounts within Postman, to be able to make authenticated calls to our api. To keep concerns seperated, we added an additional client application that uses clientId + clientSecret to authenticate and use the " Get Access Token with Resource Owner Password Credentials " -Postman Request from your “API Access Management”-Postman Collection.
With that, we are able to fetch an access Token by supplying username and password.
When this token shall be verified by our servers, we run into problems though, since the “audience” claim of that token is set to the new postman client application, and the backend onl
We are having trouble allowing multiple audiences (the native mobile app thats already in place, and the postman-App that was recently added) as allowed audiences in our custom authorizaton server.
Since the label on the relevant field is called “Audience”, we wonder if multiple audiences are supported by Okta? What would be the Syntax for adding multiple audiences in a custom authorization server? Can mutliple audiences be verified by okta-jwt-verifier?
This feature requires API Access Management enabled on your Okta org. If you have this feature, please feel free to send an email to support@okta.com and request CALLBACKS and API_ACCESS_MANAGEMENT_EXTENSIBILITY features to be enabled on your org in order to use the Token Inline Hook.
I am able to get the access token using refresh token through C# code,
I tried the same with postman and got the below error
{
“error”: “unauthorized_client”,
“error_description”: “Browser requests to the token endpoint may only use the authorization_code grant_type.”
}
I tried with code and got success, able to get the access token.
Please find my below code.
using (var client = new HttpClient())
{
List<KeyValuePair<string, string>> postBody = new List<KeyValuePair<string, string>>();
KeyValuePair<string, string> obj1 = new KeyValuePair<string, string>("grant_type", "refresh_token");
postBody.Add(obj1);
KeyValuePair<string, string> obj2 = new KeyValuePair<string, string>("redirect_uri", RedirectUri);
postBody.Add(obj2);
KeyValuePair<string, string> obj3 = new KeyValuePair<string, string>("scope", "offline_access openid ");
postBody.Add(obj3);
KeyValuePair<string, string> obj4 = new KeyValuePair<string, string>("refresh_token", RefreshToken);
postBody.Add(obj4);
KeyValuePair<string, string> obj5 = new KeyValuePair<string, string>("client_id", ClientId);
postBody.Add(obj5);
using (var content = new FormUrlEncodedContent(postBody))
{
content.Headers.Clear();
content.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
HttpResponseMessage response = await client.PostAsync($"{OrgUrl}/oauth2/{AuthorizationServerId}/v1/token", content);
Debug.WriteLine(response.Content.ReadAsStringAsync().Result);
var obj = JObject.Parse(response.Content.ReadAsStringAsync().Result);
}
}
Can you provide a cURL example of the request from Postman, by using Code section from under the submit button? Please remove any authorization credentials from the cURL generated.