Open wjans opened 5 years ago
I also had this problem since version 7.3.4 on windows. It works fine on version 7.2.2. When i request an accesstoken from forge.autodesk.com, it works fine for type "Implicit", but failed for type "authorization code"
A user reported this via support channel and this issue is hampering their API testing. I have updated internal tickets with more details.
This is a quite annoying bug. It costs me a day of debugging to understand what goes wrong.
Is it planned to be fixed in a future release or not?
Encountered this issue on v7.25.0 win32 10 / x64 using grant type of auth code. workaround using loopback ip address for callback url. (auth server and app service running on localhost)
I'm experiencing this on postman 9.7.1 on linux. The postman sends an undefined code when exchanging for a token. Even though the callback url https://oauth.pstmn.io/v1/callback contains a code parameter.
This is still very much an issue.
I am developing against a company auth provider which does multiple redirects before targeting the callback URL. One of which also includes a code
query parameter. Postman always takes that wrong value und stops following redirects.
Using a loopback IP address for callback URL is not an option since the auth provider enforces a specific URL.
Postman should always follow redirects until the location header matches the callback URL!
For everyone who encounters this problem in the future: Since this issue does not seem to have priority for the Postman maintainers you might want to take a look at Insomnia. Its working there.
@PeterBurner Can you share some details of this Auth provider, this will help us debug the issue.
sent you a pm
Describe the bug When using the OAuth2 authorization code flow in a scenario where the callback URL resides in the same domain as the authorization and token endpoints, postman seems to intercept the authorization code too early in the authorization flow. I.e. from redirects to other URL's containing a code request param as well, but not matching the specified callback URL. (See additional context below)
To Reproduce Steps to reproduce the behavior:
Expected behavior An access token should be retrieved
Screenshots
App information (please complete the following information):
Additional context The authorization server in our case supports third party logins. This causes additional OAuth2 redirects to happen also containing a
code
request param.When specifying a completely different callback URL it seems to work.