search

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
https://www.postman.com
5.82k stars 838 forks source link

OAuth2 Authorization Code Callback URL matching incorrectly #7105

Open wjans opened 5 years ago

wjans commented 5 years ago

Describe the bug When using the OAuth2 authorization code flow in a scenario where the callback URL resides in the same domain as the authorization and token endpoints, postman seems to intercept the authorization code too early in the authorization flow. I.e. from redirects to other URL's containing a code request param as well, but not matching the specified callback URL. (See additional context below)

To Reproduce Steps to reproduce the behavior:

  1. Go to Authorization tab
  2. Select OAuth2
  3. Select Authorization code grant type
  4. Set Callback URL / Auth URL / Access Token URL to URL's within the same domain
  5. Request an access token

Expected behavior An access token should be retrieved

Screenshots image

App information (please complete the following information):

Additional context The authorization server in our case supports third party logins. This causes additional OAuth2 redirects to happen also containing a code request param.

When specifying a completely different callback URL it seems to work.

ilyhacker commented 5 years ago

I also had this problem since version 7.3.4 on windows. It works fine on version 7.2.2. When i request an accesstoken from forge.autodesk.com, it works fine for type "Implicit", but failed for type "authorization code"

xk0der commented 4 years ago

A user reported this via support channel and this issue is hampering their API testing. I have updated internal tickets with more details.

fleboulch commented 4 years ago

This is a quite annoying bug. It costs me a day of debugging to understand what goes wrong.
Is it planned to be fixed in a future release or not?

travisroyal-smithtech commented 4 years ago

Encountered this issue on v7.25.0 win32 10 / x64 using grant type of auth code. workaround using loopback ip address for callback url. (auth server and app service running on localhost)

BrendanBall commented 2 years ago

I'm experiencing this on postman 9.7.1 on linux. The postman sends an undefined code when exchanging for a token. Even though the callback url https://oauth.pstmn.io/v1/callback contains a code parameter.

PeterBurner commented 1 year ago

This is still very much an issue.

I am developing against a company auth provider which does multiple redirects before targeting the callback URL. One of which also includes a code query parameter. Postman always takes that wrong value und stops following redirects. Using a loopback IP address for callback URL is not an option since the auth provider enforces a specific URL. Postman should always follow redirects until the location header matches the callback URL!

For everyone who encounters this problem in the future: Since this issue does not seem to have priority for the Postman maintainers you might want to take a look at Insomnia. Its working there.

giridharvc7 commented 1 year ago

@PeterBurner Can you share some details of this Auth provider, this will help us debug the issue.

PeterBurner commented 1 year ago

sent you a pm