Feature Request: Support OAuth2/OIDC

[x2764tech]

Is your feature request related to a problem? Please describe.
Currently, Postwoman supports Bearer Token authentication, but the process of obtaining a token for OAuth2 is non-trivial for any real-life APIs.

Describe the solution you'd like
In an ideal world, Postwoman would support OIDC for endpoint discovery, and Code Grant Types with PCKE (sorry, I'm not 100% sure on the correct terminology as different providers end up relabelling these this - see KeyCloak and IdentityServer4 for examples). It would also be great if there was support for Refresh Tokens, and JWT token introspection to support this.
The gold standard would probably also support OIDC Dynamic Client Registration, but I'm not sure how widly this is supported.
In addition, support for OIDC Front Channel Logout would be amazing.

At a minimum, OAuth2 authentication with Implicit Grants would support my use case (internal APIs), but will probably not support public APIs from Google or Facebook.

Describe alternatives you've considered
Postman has support for OAuth2 with Code, Password and Client Credential grant types, but it's annoying to use as:

• Only the last settings are remembered, and so overwritten if you have to change them. If you're authenticating against different endpoints or with different credentials, this quick becomes unmanageable.
• It doesn't support Refresh Tokens out of the box, so, for real-life APIs, you're left manually refreshing tokens all the time.

Additional context

There's probably security implications of allowing Postwoman.io as a valid redirect_url for OAuth2 secured apps, but I don't really feel qualified to discuss this.

[liyasthomas]

Will discuss about it's implementations and let you know.

[reefqi037]

Hi 👋 I would like to help with this issue.

Currently, I'm trying to implement additional features to help the process of getting OAuth2 Access Token directly from Postwoman.

There are a 4 types of OAuth 2.0 flows to retrieve Access Token, but since Postwoman is a web-based SPA, the recommended way in term of security is Authorization Code Grant Flow with PKCE.

Therefore, Postwoman should only support this grant type only for the time being ( other grant type can be considered once native version is released ).

Additionally, user have to register https://postwoman.io ( or http://localhost:3000/ ) as the callback URL in the Auth Server beforehand ( which is a bit troublesome though for some users... ).

Finally, here are some of the features that I am trying to add too:

1. Automatic configuration using OpenID Connect Discovery (support manual configuration too). ✅
2. Access token management (reuse access tokens or delete them)
3. Access token request management (reuse token request endpoints or delete them)