Feature Request: specify audience when getting OAUTH2 token

[garthk]

My OAUTH2 provider's access token URL /oauth/token needs an audience when grant_type is client_credentials. Postman can't provide one.

Workaround: add a request for your authentication endpoint, with a test to save the token as a global variable. Caveat: leaks your access token to Postman.

[okonon]

@garthk i am wondering if you found another solution?

[okonon]

@a85 any update on this feature request?

[a85]

@okonon Not yet but we have another round of updates planned for OAuth 2 pretty soon.

[miiitch]

Hi @a85 any news?

[ramanbuttar]

I would also like to use this feature to generate an access_token from Auth0

[9horses]

I managed to work around this by adding the query string directly to the Auth URL, e.g.: https://foo.auth0.com/authorize?audience=https%3A%2F%2Fapi.foo.com%2F

[ramanbuttar]

@9horses Tried that but getting an error: Non-global clients are not allowed access to APIv1. It seems the audience field needs to be part of body instead of query parameters to have it be read on Auth0 side.

@a85 any updates on when this feature will be built and released?

[mejobloggs]

Strange that Postman still doesn't support audience. I can't use Postman with some API's due to needing audience

[yilinjuang]

any updates here?

[aldegoeij]

+1 auth0 API debugging is impossible without audience field, adding it to the URL does not work sadly

[lukeocodes]

@ramanbuttar

I can confirm adding audience to the URL does work.

I don't think it's ideal, but it works. I'm writing a guide for Auth0 and Postman right now, and I'll cover the missing audience value in the guide.

[koenvb]

Checked this and could not get this to work using the client credential options.

Is there a workaround to support auth0 authentication?

[ramanbuttar]

The workaround we use is to have the first test in our collection make a POST request to Auth0 and save the returned authenticated token as a global variable to be used by the rest of the tests in the same collection.

[christophla]

Over a year and a half and still waiting on this one. The audience querystring param does not work with client_credentials grant - it must be in the body. We consider the postman application to be a client, so this grant type is more ideal than the others.

[fcaldera]

Same problem here 🙋‍♂️

[theKashyap]

Please support this, this is a bug not a feature. client-cred-grant simply doesn't work without it.

[JannikZed]

Yep, It's such a fail for postman and just a tiny little field that needs to be added ...

[mjdean1994]

For enterprise level OAuth 2.0 authentication, specifying an audience is a must-have. This should definitely be supported in Postman.

[PaulFrost]

I wasted some hours trying to get a token by this grant type. Could you please fix this bug?

[Samelandslaget]

As several people have written, adding the audience as a query string parameter to the Auth URL does indeed work (with Send client credentials in body). It would, however, probably be more user friendly to make this functionality more obvious. I would suggest something like an optional Audience parameter in the GET NEW ACCESS TOKEN window.

[neoeinstein]

As several people have written, adding the audience as a query string parameter to the Auth URL does indeed work (with Send client credentials in body). It would, however, probably be more user friendly to make this functionality more obvious. I would suggest something like an optional Audience parameter in the GET NEW ACCESS TOKEN window.

No. This definitely does not work with Auth0 when using the client_credentials grant type. The audience field must be in the body, not the query string.

[joymon]

I tried client_creds flow with Azure AADv2 (Microsoft Identity Platform) and could see that the JWT is not having audience and the request to resource url fails. Great if the support to add the audience is added.

[01binary]

Client Credentials grant in Postman does not support specifying audience. My ASP.NET Core WebAPI is rejecting the resulting token with 401 because the audience is not set properly. In my case, the audience has to be the Azure AD App ID URL. Passing through query string doesn't work.

Should I send a pull request for this?

[mmindenhall]

In case it matters, I can tell you not fixing this bug is costing you money. My company is currently paying for Insomnia (~40 users), but we want to switch to Postman Pro. During a recent hackathon, two team members ported all of our collections from Insomnia to Postman, and we're ready to pull the trigger on the switch. However, this bug is a blocker for us. Client Credentials grants work flawlessly in Insomnia, and not at all (using Auth0) in Postman.

[paladan-artium]

+1 Please add this! I was looking forward to using the OAuth2 auth feature but also need to provide an audience.

[levi217]

In the same boat. Using client_credentials grant type without an audience option gives me Non-global clients are not allowed access to APIv1 errors. The query-string trick doesn't work for client_credentials grant type unfortunately. It would be great if an audience box was added.

[jasper-d]

Any update on this? Adding audience to the URL indeed doesn't work for grant type client_credentials.

[dreamiurg]

Lack of audience support in the body of OAuth2 requests makes postman next to impossible to use without workarounds.

[lazee]

All it would take, as far as I can tell, is ONE extra field in the access token form for Client credentials. And I have to say that I'm not sure what is worst here; The missing audience field, the time since anyone from the team has commented on this issue or the fact that it recently was moved to "Later" without even a comment. Somebody had to say it :)

[juslintek]

I've created this script in collection pre-request to walkaround this issue:

const moment = require('moment');

const getOAuthToken = () => {
    pm.sendRequest({
          url: pm.environment.get("oauth_endpoint"),
          method: "POST",
          header: "Content-Type:application/json",
          body: {
            mode: "raw",
            raw: JSON.stringify({ 
                audience: pm.environment.get("oauth_audience"),
                grant_type: pm.environment.get("oauth_grant"),
                client_id: pm.environment.get("oauth_client_id"),
                client_secret: pm.environment.get("oauth_client_secret")
            })
        }
    }, (error, response) => {
        if (error) {
            console.log(error);
        } else {
            const json = response.json();
            pm.environment.set("access_token", json.access_token);
        }
    });
}

const accessTokenData = 
JSON.parse(pm.environment.get("access_token").split('.')[1]);

if (moment.unix(accessTokenData.exp).isSameOrBefore(moment(), 'second')) {
    getOAuthToken();
}

[lazee]

@juslintek Thanks. I'm made a few modifications to this to suit my needs:

const moment = require('moment');

const getOAuthToken = () => {

    // The POST Request object            
    const req = {
          url: pm.collectionVariables.get("oauth_endpoint"),
          method: "POST",
          header: "Content-Type:application/json",
          body: {
            mode: "raw",
            raw: JSON.stringify({ 
                audience: pm.collectionVariables.get("oauth_audience"),
                grant_type: pm.collectionVariables.get("oauth_grant"),
                client_id: pm.collectionVariables.get("oauth_client_id"),
                client_secret: pm.collectionVariables.get("oauth_client_secret")
            })
        }
    };

    pm.sendRequest(req, (error, response) => {
        if (error) {
            console.log(error);
        } else {
            pm.environment.set("access_token", response.json().access_token);
        }
    });
}

if (pm.environment.get("access_token") === undefined) {
    getOAuthToken();    
} else {
    const accessTokenData = JSON.parse(pm.environment.get("access_token").split('.')[1]);
    if (moment.unix(accessTokenData.exp).isSameOrBefore(moment(), 'second')) {
        getOAuthToken();
    }
}

This way I can add the variables to the collection variables scope. I also want to mention to others that the way you use this is by adding a special header to your request:

[juslintek]

@lazee, you do not need that header (Oauth2 method will do it for you), it adds limitations to how dynamically this can be used, you can just select Authorization method OAuth2 and enter {{access_token}} variable to the input field for the collection/folder, like below, all request/folders will inherit it. :-) And it will never throw an error unless authentication fails, that token is missing because the script runs before request, and OAuth is executed only after the script runs and the global variable is set.

[lazee]

@juslintek Ah, good point. Thanks.

[michaeldaw]

Are they really not going to make this simple fix?

[liliankasem]

Adding audience to the Auth URL didn't work for me, but resource did:

https://login.microsoftonline.com/<tenantId>/oauth2/authorize?resource=<resourceId>

Either way, would really love for this to be a parameter!

[BukeMan]

Adding audience to the Auth URL didn't work for me, but resource did:

https://login.microsoftonline.com/<tenantId>/oauth2/authorize?resource=<resourceId>

Either way, would really love for this to be a parameter!

If you move on to using v2.0 endpoint, then you wouldn't need to specify resource parameter, instead you'd go with scope.

Quote from MS docs :

A scope value of https://graph.microsoft.com/.default is functionally the same as the v1.0 endpoints resource=https://graph.microsoft.com - namely, it requests a token with the scopes on Microsoft Graph that the application has registered for in the Azure portal.

[peteraritchie]

How is this not a feature of Postman yet?

[cjstage]

Wow, such a disappointment to find this thread and how this issue hasn't been resolved for so long. Is implementing this feature really so hard that two years later it's still not? I doubt it. If you could implement this feature... That'd be great..

[ianido]

This feature should not be hard to add to the token request, it has been 3 years been requested. Why?

[esbenbach]

And still there is nothing :( Postman is focused on fancy stuff, supporting "enterprise" use cases is not "fancy", so we are left hanging.

Time to consider a switch to something else.

[teohm]

Anyone has a better alternative than Postman? :)

On Fri, 12 Mar 2021, 16:49 Esben Bach, @.***> wrote:

And still there is nothing :( Postman is focused on fancy stuff, supporting "enterprise" use cases is not "fancy", so we are left hanging.

Time to consider a switch to something else.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/2934#issuecomment-797336175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABIGXYILSZUXM2TF7GAAK3TDHIP3ANCNFSM4DHGDGGA .

[christophla]

Based on their 3 year lack of response? Pretty much anything is better than Postman. We bailed ages ago.

On Fri, Mar 12, 2021 at 5:08 AM Huiming Teo @.***> wrote:

Anyone has a better alternative than Postman? :)

On Fri, 12 Mar 2021, 16:49 Esben Bach, @.***> wrote:

And still there is nothing :( Postman is focused on fancy stuff, supporting "enterprise" use cases is not "fancy", so we are left hanging.

Time to consider a switch to something else.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub < https://github.com/postmanlabs/postman-app-support/issues/2934#issuecomment-797336175 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AABIGXYILSZUXM2TF7GAAK3TDHIP3ANCNFSM4DHGDGGA

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app-support/issues/2934#issuecomment-797421274, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAPEP5ELNDTDFEDGNDF7V4DTDHY4XANCNFSM4DHGDGGA .

-- Christopher

[fhirfly]

+1 on a fix. this is a standard for oauth

[hitchan]

I need this too! Shocked to see it's a blocker for me now as well. Give the people what they want!

[elvenprogrammer]

+1 needed for Auth0 test runs

[teohm]

Let's push them a bit in the public? 

RT https://twitter.com/teohm/status/1375943246669443072

On March 27, 2021, GitHub @.***> wrote:

+1 needed for Auth0 test runs

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/postmanlabs/postman-app- support/issues/2934#issuecomment-808232118, or unsubscribe https://github.com/notifications/unsubscribe- auth/AABIGX5QAXVMLUFFGPXTGX3TFSF2JANCNFSM4DHGDGGA.

[giridharvc7]

We are working on this, and this will be available soon!

[robertdecaire]

@giridharvc7 Are you going to explain why it's taken you 3 years to respond to this simple request?

[esbenbach]

More importantly: ETA :)

[mohitranka]

@esbenbach It will be available with the next Postman App release ( 8.3, currently scheduled for 19th April), and before that on Postman web ( web.postman.co).