Do you think IIT Guwahati certified course can help you in your career?
No
Introduction
Postman is an API development platform for designing, building and testing API (Application Programming Interface). It can create different HTTP requests (GET, POST, PUT), save environments for later use, and convert the API to code for various languages (like JavaScript, Python).
Authorizing requests will allow verifying the identity of the client who is requesting access to the protected resources. The client can be a user (individual user) or another service (third-party service). This is done to ensure that the data is secure. There are many types of Authorization like No Auth, Bearer Token, AWS signature, OAuth 1.0, OAuth 2.0, etc.
In this article, we will discuss OAuth 2.0 authorization technique. We will discuss what OAuth 2.0 is and how to implement it using Postman.
What is OAuth?
The ‘Auth’ in OAuth refers to Authorization. As mentioned above, authorizing requests means verifying the identity of the user before handing them access to protected resources.
There are billions of services around the world, these services need to interact with each other. These services are used by the Users. The services interact with each other and the user via the Internet. During these interactions, the services exchange information, but not all information is shared with everyone. Some information is kept private and only shared with trusted services or trusted users.
If the information is about the user, do you think the services can exchange information without the user’s permission? NO!❌hence, the service asks for the user’s permission and after the user has consented to share the information, it will be shared with another service. The information might be shared several times. Asking for the user’s permission every time is a waste of time.
So, we came up with an authorization protocol (a communication flow) called OAuth, whichallows the services to give authorization to each other on behalf of the user, given the user has already permitted the exchange. OAuth sets the specifications for the communication between the services. The user needs to authorize the exchange once, after that the communication will flow on its own with OAuth working in the background.
The first version of OAuth is OAuth 1.0. There were some limitations of OAuth 1.0 which gave birth to OAuth 2.0.
In this article, we will discuss how to use OAuth 2.0 with Postman.
How to use OAuth 2.0?
OAuth 2.0 is an authorization protocol that gives limited access to another service on behalf of the user, once the user gives permission to access their credentials.
To demonstrate the example we will need two services and a user. You are the user. The first service is the Postman Application. What about the second service? For the second service, we will create an API using Spotify Developer Tools.
🎵 Login to your Spotify account. If you do not have an account, create one. A new page must have opened.
🎵 Click on Create An App.
🎵 A pop-up will open. Enter the App Nameand App Description.
🎵 You can find the Client ID and Client secret (click on show client secret) there.
🎵 Click on Edit Settings▶️Add a Redirect URL (Once the authorization is done, we will be redirected to this URL).
For Postman the redirect URL is https://www.postman.com/oauth2/callback.
🎵 Click on Add and finally Click on Save.
Now, let’s head over to the Postman Desktop Application.🏁
🚀 Select a workspace and create a new➕collection. In this example, we have create a collection named “Spotify”.
🚀 In the Authorization tab (Auth tab), under TYPE drop-down list select OAuth 2.0.
🚀 Under Configure New Token, you can see there are two options - Configuration Options and Advanced Options. There are many Configuration Options. Below we have shown what values should be added to each Option.
Token Name
Enter the name you want to give to the token.
Grant Type
There are many Grant types. We will discuss them later in this article.
For this example, select Authorization Code as the Grant Type.
CallBack URL
It will be the same as the Redirect URL we set for our Demo App. So, enter https://www.postman.com/oauth2/callback.
Auth URL
use this endpoint https://accounts.spotify.com/authorize.
🚀 A pop up window will appear. Click on Agree. It will redirect you to a page where you can find the Access Token and the Refresh Token. Click on Use Token.
✅ Your access token has been saved under Current Token -> Access Token.
YAY!🥳 You have successfully set up OAuth 2.0 for the Demo App.
OAuth 2.0 Parameters
🎯 Token Name: Name of the access token.
🎯 Grant Type: Refers to the way an application gets an access token. There are many grant types and we will discuss them later in this article.
🎯 CallBack URL: It is the URL to which we will be redirected to after the authentication. This URL needs to be updated by the API provider. By default Postman uses empty URL or we can try endpoint - https://oauth.pstmn.io/v1/browser-callback
🎯 Auth URL: The postman will receive the auth code from this endpoint.
🎯 Access Token URL: The postman will exchange auth code with access token using this endpoint.
🎯 Client ID and Client Secret: The ID and secret assigned to the user by API.
🎯 Scope: The scope of access we are requesting.
🎯 State: An opaque value to prevent cross-site request forgery.
🎯 Client Authentication: Send a Basic Auth request in the header, or client credentials in the request body.
Grant Types in OAuth 2.0
Grant Type refers to the way an application gets an access token. Each grant type is optimized for a particular use case, whether that’s a web app, a native app, a device without the ability to launch a web browser, or server-to-server applications.
There are five Grant Types:
1️⃣ Authorization Code
2️⃣ Authorization Code (with PKCE)
3️⃣ Implicit
4️⃣ Password Credentials
5️⃣ Client Credentials
1️⃣ Authorization Code
The application opens a browser to send the user to the OAuth server. The user sees the authorization prompt and approves the app’s request. The user is redirected back to the application with an authorization code in the query string. The application exchanges the authorization code for an access token.
To use Authorization Code grant enter a CallBack URL, Access Token URL, Auth URL, Client ID and Client Secret.
2️⃣ Authorization Code (with PKCE)
On selecting Authorization Code with Proof Key for Code Exchange, two more parameters will be added -
⭐Code challenge method: We can select either SHA-256 or plain to generate the Code challenge.
⭐Code Verifier: It is a character string used to connect authorization requests to token requests.
3️⃣ Implicit
It will return an access token to the client without requiring the additional auth code step.
To use Implicit grant enter a CallBack URL, Auth URL and Client ID.
4️⃣ Password credentials
In this we send the username and password directly from the client and is not recommended.
To use Password Credentials grant enter an Access Token URL, username and password.
5️⃣ Client credentials
It is used to access the data associated with the client application.
To use Password Credentials grant enter Access Token URL, Client ID and Client Secret.
Frequently Asked Questions
For what purpose is Postman used?
Postman is an API client that makes it easy for developers to create, share, test and document APIs. Users are allowed to create and save simple and complex HTTP/s requests, as well as read their responses.
What is OAuth?
OAuth is a mechanism that allows services to give authorization to each other on behalf of a user. Keep in mind - the authorization is done only after taking the user’s permission.
Why is it important to authorize requests?
Authorizing requests will allow verifying the identity of the client who is requesting access to the protected resources. The client can be a user (individual user) or another service (third-party service). This is done to ensure that the data is secure.
Conclusion
Congratulations🎉on finishing the article. We discussed what OAuth is. There are two versions of OAuth - OAuth 1.0 and OAuth 2.0. In this article, we discussed how to use OAuth 2.0 in Postman. We also discussed the parameters used for OAuth.
If you want to read more about Postman we recommend you read these articles: