Add option to refresh OAuth 2.0 tokens [Available from v10.6]

[seppestas]

It would be very handy to have the Postman OAuth 2.0 authentication helper parse the expires_in field of OAuth 2.0 access tokens if it is available and provide some sort of flag to see whether a token has expired.

It would be even more useful to have the option to refresh a token when the refresh_token of the access token is available. This would prevent a whole bunch tokens with the same attributes from piling up in the "Existing Tokens" list when using an API that uses token expiry.

These 2 features could be combined into a super useful message that shows up when a token expired and says something like "This token has expired. Refresh token?".

[ghost]

Hi @giridharvc7, any updates on when this is going to be available?

Thanks.

[TheConBot]

@giridharvc7 friendly bump for an update!

[giridharvc7]

Sorry folks this is getting delayed - we will keep you posted.

[Slick1212]

Dog pile. Feels like 8 years on the books is a tad long. The most frustrating (and most important) thing working with API's is the security part it seems.

[danielrehmann]

I am really much missing this feature. Other products like Insomnia are supporting this feature and it feels so out of world that I need to hack it myself into prerequest scripts if I want this. Bummer. Some of my team colleagues already switched their go-to rest client because of these quality of life things and now we have a Zoo of tools. Wish this would be implemented soon.

[SegarJJ]

WOW. This is a long awaited change and still the tool continues to become more complex in general and specifically for this type of use case.

It already takes weeks to get a good grip on how postman works and these sorts of use cases which have never really improved over years and years is hard to understand why they are not prioritized better.

@giridharvc7 Can you help us with some more insight on the reasoning to delay it?

[at-besa]

i bump this again as it is a must have for todays clients

[Hibbem]

How is it possible to have this not implemented after 6 years 😅 Promise after promise, but no results, gg. Insomnia it is for our team now 👍

[at-besa]

@postman-support whats the statement from you why this isnt implemented yet? oauth 2 is pretty much the most common authentication method and it sucks to manually retrieve an oauth token every time or to have some miserably working pre request script.

[pythe]

I just got some blowback from my team for trying to use the built in Oauth2 authorization scheme because of the lack of this feature.

Instead we have another request, straight to the Oauth server, that sets a $BEARER_TOKEN var. It's four clicks to run the Oauth request then the target request, versus six to get a new access token, use it, and finally fire the target request. I'd prefer two.

[motor75]

Sorry folks this is getting delayed - we will keep you posted.

@giridharvc7 - any idea on when or if this will ever be worked on? This would be a nice feature to have optionally - allowing you to allow auto refresh of Oauth tokens (I'd say the default should be a manual process for security and based on other's comments on this thread). But this thread is over 6 years old and there's no movement on getting this implemented into Postman.

[greenkarmic]

I thought I must be blind for I couldn't find where to input the refresh_token URL in the Authorization pane. Turns out it's not implemented yet. A bit surprised, but I won't judge since I don't know the reason for the holdback. Still, our access token TTL is 5 minutes in production, it gets old pretty fast having to constantly get a new access token for every test. I will cheer when this is finally implemented.

[esbenbach]

I ended up implementing a orerequest script that issues a new token and keeps the refresh token. Its annoying as hell and a lot of code to handle something that should be about of the box features.

On Fri, 25 Nov 2022, 20:47 Yohan Bienvenue, @.***> wrote:

I thought I must be blind for I couldn't find where to input the refresh_token URL in the Authorization pane. Turns out it's not implemented yet. A bit surprised, but I won't judge since I don't know the reason for the holdback. Still, our access token TTL is 5 minutes in production, it gets old pretty fast having to constantly get a new access token for every test. I will cheer when this is finally implemented.

— Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/2452#issuecomment-1327838220, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKQP7QWDRGAQT3JLB4DPOTWKEJURANCNFSM4CVBLYVA . You are receiving this because you commented.Message ID: @.***>

[wuesten-fuchs]

+1

[ryanhugh]

+1

[abhijeetborole]

Thank you for being patient with us. OAuth2,0 Token Refresh and Auto-Refresh will be available with Postman V10.6.

With these changes, any new tokens you generate can now be refreshed if you have a valid refresh_token. We've also added Auto Refresh. Once this is enabled, an expired token will be refreshed before sending a request automatically. Auto Refresh is currently available when you send a request, we will add support for runner soon.

Do let us know if you have any issues.

PS : Postman app v10.6 is being rolled out will be available for everyone in couple of days

[bodograumann]

We have defined the authentication settings on the collection and all the requests inherit them. Unfortunately I cannot see any refresh option on the collection nor on the individual reuqests. (Running 10.6 already)

[abhijeetborole]

@bodograumann Could you generate a new token and try it out? The refresh option is available once you have a token with a valid refresh_token

[bodograumann]

OAuth2 returns a refresh token and I have just logged in again. Usually I would have to go to the collection, press "Get New Access Token", "Proceed" and "Use Token". I thought this would be unnecessary now with automatic token refresh, but I still get 401 when the token has expired.

[abhijeetborole]

@bodograumann Could you please share your exact version? (Settings -> About)

[bodograumann]

Sure. It is 10.6.0 installed via AUR

[abhijeetborole]

@bodograumann Could you confirm if you're using Scratch Pad? This is only available in workspaces right now, we'll add support for Scratch Pad and Runner in the future, keeping this ticket open for the same reason.

You could export from Scratch Pad and import this collection into a workspace to try this out.

[bodograumann]

Ah ok, then that is the reason. This is a scratch pad.

[giridharvc7]

v10.6.x is now available on both the app and web versions of Postman. To update to the latest version, please close and reopen the app, or check postman settings (Settings -> Update) to get the latest version.

Keeping this ticket open as we are yet to release this for the Scratchpad, and Auto-refresh for Collection Runner. We hope you like these changes and Once again, thank you for your patience.

[savage-alex]

Thank you @giridharvc7 I have done some testing this afternoon and on the whole it works great! I especially like that the expiry is shown on the postman ui

One question is that although the access token has 5 minutes before expiry, Postman is refreshing it anyway. What is the margin of time before expiry that postman is using to determine if to refresh or not please? On a token that has 24hours to expire this does not happen.

So happy to get this feature. Thank you all

[abhijeetborole]

@savage-alex We have a 5 minute buffer for auto refresh. Does this cause any issues while using auto refresh? We can tweak this accordingly

[davequested]

Is there a way to also pass back the client_id, client_secret and redirect_uri on refreshing a token.

Only grant_tyoe and refresh_token are passed in the body. Our API would like a few more details ;) Googling looks like other APIs also expect these other fields to be passed back too when refreshing.

On Fri, 16 Dec 2022 at 18:55, abhijeetborole @.***> wrote:

@savage-alex https://github.com/savage-alex We have a 5 minute buffer for auto refresh. Does this cause any issues while using auto refresh? We can tweak this accordingly

— Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/2452#issuecomment-1354258100, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAN4QKQF4AH5WY6EQ4XAX43WNP74VANCNFSM4CVBLYVA . You are receiving this because you commented.Message ID: @.***>

[savage-alex]

@savage-alex We have a 5 minute buffer for auto refresh. Does this cause any issues while using auto refresh? We can tweak this accordingly

It doesnt cause any issues. We only have 5 minute access tokens so it refreshes every time. Perhaps that's a improvement for the future to consider the consumer to set that value via config. I dont think many people have a 5 minute access token. Works a treat for us so far. Thank you again

[bodograumann]

I feel the token expiration times should be taken into consideration. To my knowledge short expiration times are actually considered good practice. We are also using 5 minutes, but I don't think having something as short as 1 minute would be considered unreasonable.

For comparison, the keycloak js adapter refreshes tokens 5 seconds before their expiration by default: https://github.com/keycloak/keycloak/blob/main/adapters/oidc/js/src/keycloak.js#L611

[giridharvc7]

This is great feedback @savage-alex @bodograumann. We'll keep you posted here on the updates on this. Once again, appreciate the feedback and keep them coming :)

[giridharvc7]

@davequested currently we don't have this, I've created a Github ticket to track it here.

We've had similar requests on configuring token request and Auth request - but this is the first time we've heard for a configurable refresh request.

Will keep you posted on the ticket mentioned above.

[orcandelf]

Is there a way to set the URL for a refresh token? Several of the products I work with have different URLs for Authentication vs Refresh and the current refresh option in Postman fails. cURL below for example.

Authorization: curl -X POST "https://{{URL}}/security/v1/oauth/token" -H "accept: application/json" -H "x-merchant-id: {{merchantID}}" -H "Authorization: Basic {{basicAuth}}" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code={{authCode}}&redirect_uri={{redirectURL}}"

Refresh: curl -X POST "https://{{URL}}/security/v1/oauth/refresh" -H "accept: application/json" -H "Authorization: Basic {{basicAuth}}" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token={{refreshToken}}"

[giridharvc7]

@orcandelf Currently the system uses the same token endpoint to refresh tokens. We will track this requirement under this ticket. Thank you for bringing it up.

[tobiasfeil]

What do I do in this case? Or is it not supported for Client credentials authentication type?

[giridharvc7]

@tobiasfeil Can you go to the Manage tokens here and see if you have all the necessary fields to enable token refresh.

Ideally you should be seeing client id, client secret, refresh token etc.

If you don't, you might have to Get New Access Token

[tobiasfeil]

Thank you for the quick reply. It doesn't show me a refresh token here. Maybe a particularity of our Auth flow.

[savage-alex]

Just a note I am using it successfully with client creds flow with gets access and refresh tokens direct from the token endpoint. Just uses different grants.

[giridharvc7]

@tobiasfeil Yeah, it might very much depend on the identity provider, grant types etc. If your /token endpoint returns a refresh_token - Postman would be able to refresh it for you.

[tobiasfeil]

OK, thank you for the clarification - I wasn't sure as I don't know much about the different types of identity providers. I'll switch to Insomnia for now then as it works out of the box without manually refreshing as frequently. Thanks for the effort!

[giridharvc7]

@tobiasfeil Can you share details of this API if its possible? I'll try this out from my end to see if we've missed something

[tobiasfeil]

I'm sorry, it's an internal one - all I know is it's Oauth 2.0 with client credentials and doesn't show a refresh token for some reason. Neither does it return an identity token - only an access token.

[savage-alex]

Does it work if you send the offline_access scope?

[dreverri]

@tobiasfeil It sounds like your authorization server is working correctly, the client credentials grant should not include a refresh token: https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3

Ideally, it would be nice if Postman requested an access token before each request if one was not currently available but that would be a separate feature request from this issue.

[Tetradeus]

@giridharvc7 we are using Okta and looking at the documentation, it seems it also requires to send redirect_uri and scope : https://developer.okta.com/docs/guides/refresh-tokens/main/#use-a-refresh-token

http --form POST https://${yourOktaDomain}/oauth2/default/v1/token \
  accept:application/json \
  authorization:'Basic MG9hYmg3M...' \
  cache-control:no-cache \
  content-type:application/x-www-form-urlencoded \
  grant_type=refresh_token \
  redirect_uri=http://localhost:8080 \
  scope=offline_access%20openid \
  refresh_token=MIOf-U1zQbyfa3MUfJHhvnUqIut9ClH0xjlDXGJAyqo

Right now, I could see the following body and the failing response :

{"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}

[rga2]

Please enable the same functionality for Monitors.

I have to set up a pre-request Script for the collection to generate new access tokens, instead of using the current functionality of the Collection Authorization.

Thanks

[giridharvc7]

@rga2 What grant type are you using currently? I'd love to know more about your use case, if possible, can we setup a call to explore more?

[rga2]

@giridharvc7 grant type is "password", I am currently using a modified solution from @demoran23.

[sixeyes]

Is it possible to save the access token to a collection variable?

Before this change to Postman I was copying the access token into a collection variable and running a collection Pre-Request Script to extract useful parameters (e.g. aud, sub) and store them in other collection variables.

[giridharvc7]

We've extended and released support for token refresh to Scratchpad with update 10.9.x. Appreciate everyone's feedback and Thank you for your patience 🙏

Feel free to open new tickets for any specific feature request you might have

[Tetradeus]

@giridharvc7 any news regarding refresh token for okta ?