Add hybrid flow (grant type) to OAuth2 auth helper

[jarroda]

Postman currently supports Authorization Code and Client Credentials flows, but providing support for hybrid flow would be very useful. We have a javascript SPA app that authenticates with our API using implicit flow, but would like to test our API endpoints using postman.

Providing support for hybrid flow means that our SPA app can continue to login along with allowing postman to authenticate using a client secret.

[czardoz]

@jarroda Can you elaborate on the "hybrid" flow?

[ericgreenmix]

Here is the spec for the hybrid flow. https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth

Basically, it allows implicit and authorization code on the same client. Since a SPA has to use an implicit flow, that blocks you from being able to use postman authorization code authentication. If you could set the SPA's flow to be hybrid then that would allow the SPA to authenticate implicitly as well as allow postman to authenticate using a client secret.

[kamalaknn]

@ericgreenmix, for now, Postman(starting from 5.3.1) supports requesting OAuth 2.0 tokens using implicit grant types. That should allow you to continue working until we work on the hybrid flows.

[destevezitexico]

@kamalaknn I have already installed the Postman 5.3.1 for windows and I don't see the implicit grant type in the list of options available.

[kamalaknn]

@destevezitexico Once you select Get New Access Token button on OAuth 2.0 under the Authorization section, you should a dialog like this,

The Implicit option should be available on the Grant Type dropdown. Note that this feature is only available on our Native apps. Here's the download link.

[ilyabelkin]

Is there a timeframe for Hybrid flow/Grant Type, specifically [code id_token] support in Postman? Most of our new applications are setup as described here: http://docs.identityserver.io/en/release/topics/grant_types.html#hybrid

Thank you for considering this!

[numaanashraf]

@ilyabelkin We are looking into how we can support the Hybrid flow. We'll provide an update soon.

[ilyabelkin]

@numaanashraf Thank you, looking forward to news on this!

[chrisdeso]

Friendly bump :)

[bartdk-be]

Would like to request new tokens during our newman tests. Any timeframe on this one ? bump :)

[bhowley]

bump :)

[bartdk-be]

@kamalaknn : Any idea how we can automate the token retrieval ? It's working fine using the user interface, but we are unable to use this, since the token will expire evere n-minutes. Would be great to have a solution / workaround. Thanks !

[cowlinb6]

Any update on this?

[redplane]

Any updates ?

[kvskranthikumar]

I am looking for Hybrid support, any updates on this?

[gabrieligbastos]

+1

[markm77]

Hi there,

I am interested in hybrid flow in relation to testing of UK Open Banking whose security profile is defined here: https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2

Basically I am hopeful the implementation of hybrid flow will (a) support the use of a request object (https://openid.net/specs/openid-connect-core-1_0.html#RequestObject ) which the user supplies, (b) support the use of a nonce and (c) support response_mode of form_post in addition to fragment.

I am happy to test any implementation to see how it works with UK Open Banking.

See below for an example hybrid flow auth URL.

BR, Mark

https://examplebank.co.uk:4101/auth?response_type=code%20id_token&repsonse_mode=fragment&client_id=xxx&redirect_uri=https://examplefintech.co.uk/api1/oauth2/callback-rmf&scope=openid%20accounts&request=xxxx&nonce=xxx&state=xxx

[johnmarksilly]

I want to also add that the response_type should be customizable. For instance, our ID2 server only supports response types of token id_token and token access_token which is fully available in a client like Insomnia. It would be useful to define what property to search for when Postman is looking for the access token.

[edveri]

The ability to set reponse_type would be very usefull. In my case I need to make a request with response_type=id_token token, however it seems I am not able to do that in Postman.

[mrtarkhan]

any update for hybrid flow?

[brentminder]

What is everyone else using in the meantime for hybrid flows? This thread is 3.5 years old.

[mgh9]

any updates?

[jorgifumi]

also interested in this feature

[DCCoder90]

Just wanted to add another bump. I know this issue is almost 5yrs old but it would be a nice addition to Postman.

[chungonion]

bump +1 Still pretty nice if it is supported

[omarpiani]

+1 👎

[Amasaabu]

Anyone found an alternative to this? Really interested in this feature also

[kedigby]

Would also like this feature

[abhijeetborole]

This is available under the Advanced section under OAuth2.0. With these changes, you can now add params to the headers, body and URL for token and refresh requests. You can also add query params to the auth request.

You can override the response_type/grant_type/other standard params by adding it to the Auth Request section here.