search

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
https://www.postman.com
5.85k stars 839 forks source link

Get new oauth2 access code CSFR session cookie gets stripped #8411

Closed msanguineti closed 3 years ago

msanguineti commented 4 years ago

Describe the bug I am using Postman to request new access tokens from my authorization server. The authorization server has no problem issuing tokens to clients that implement well known oauth2-client libraries. The problem is only with Postman.

The auth server is Hydra from a know German company called Ory. The server checks for a CSRF value set in a cookie.

What happens is that Postman brings up a browser window where I see the user login screen (initial step for the token request). After the user logs in, the browser (Postman created browser window) closes immediately. I get an error in the console and when I check the logs of the authorization server it says that no CSFR value is available in the session cookie.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Authorization tab'
  2. Select 'Oauth 2' from the type list
  3. Click on 'Get new access token'
  4. Compile the form
  5. Click 'Request Token'
  6. A small browser window appear with the login screen of the identity provider
  7. Insert credentials and click 'Login'
  8. The window shuts down immediately and an error appear in the console
  9. The error log of the auth server says "No CSRF value found in the session cookie"

Expected behavior Being able to go through the entire access token request flow

App information (please complete the following information):

msanguineti commented 3 years ago

This issue has been fixed now, I believe. v7.36.0 works flawlessly. Thanks for all your efforts.