TPI.devCommunityGithubLinkedIn

Obtaining an Access Token via Postman Using OAuth 2.0

This section describes how to use Postman to initiate an OAuth 2.0 Authorization Code flow with PKCE and obtain an access token from Keycloak through digiRunner.

Configuring OAuth 2.0 in Postman

  1. In Postman, go to the Authorization tab, and set the Auth Type to OAuth 2.0.

  2. Under Grant type, select Authorization Code (With PKCE), the standard OAuth 2.0 authorization flow with enhanced security via PKCE.

  3. Check the box for Authorize using browser, allowing Postman to use the default callback URL: https://oauth.pstmn.io/v1/callback.

Configuring Authorization Settings

Fill in the fields as instructed below:

  1. Auth URL: https://localhost:18080/dgrv4/ssotoken/gtwidp/OIDC/authorization This URL directs the user to the authorization page.

  2. Access Token URL: https://localhost:18080/oauth/token This endpoint is used to request the token.

  3. Client ID: Enter the Client ID configured in digiRunner.

  4. Client Secret: Enter the Client Secret configured in digiRunner.

Configuring PKCE and Additional Parameters

Fill in the fields as instructed below:

  1. Code Challenge Method: Select SHA-256 to enable secure PKCE encryption.

  2. Code Verifier: Use the Postman variable {{$guid}}{{$guid}} to generate a valid verifier string. This produces two GUIDs, totaling 72 characters, which meets Keycloak's requirement of a character length between 43 and 128.

  3. Scope: Enter openid email profile. These scopes are necessary to retrieve user profile information.

  4. State: Enter {{$guid}}. This ensures a unique state value for each request.

  5. Client Authentication: Select Send as Basic Auth header to transmit the Client ID and Secret using HTTP Basic Authentication.

Authenticating and Retrieving the Token

  1. Click Get New Access Token. You will be redirected to the Keycloak login page.

  2. Enter the username and password of the user account created in Creating a Test User Account, then click Sign In.

  1. Upon successful login, the browser will redirect you back to Postman.

  2. Postman will receive and display the Access Token, Refresh Token, and ID Token.

  3. Click Use Token to automatically populate the authorization header with the received access token.

Sending API Requests with the Token

  1. Once the token is applied, click Send to execute the request and call the API. If you receive a 403 Forbidden HTTP response, it means that the client is not authorized to access the target API in digiRunner. Revisit the client authorization settings in digiRunner and update them to grant the necessary access.

  1. Refer to Client Authorization and Calling API for guidance to complete the integration, and retrieve a new token to successfully call the API. With this process, you have successfully authenticated via Postman using OAuth 2.0 with PKCE, retrieved the access token from Keycloak via digiRunner, and executed an API call.

PreviousCreating a Client in digiRunner and Connecting to Keycloak via GTW OAuth 2.0 IdPNextIntegrating Reverse Proxy with Auth Server for Token Verification

Last updated

Was this helpful?