New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto update/refresh of OAuth2 access tokens #10112
Comments
It seems Insomnia has this feature Confirmed by brightcove |
Hi @chrisdeso : do you have any idea of ETA ? |
This is on our roadmap, will share ETAs soon. |
I am an Insomnia user and the lack of this feature is astonishing. Actually, I have found that this was causing some of my automated tests to fail due to this error. |
We also moved to the OAuth2 workflow. This feature would save us a huge amount of time each day! |
@giridharvc7 What's the ETA on getting an ETA? If you don't want to build the whole flow at least expose the stored values. |
We expect to get this out by Q4, this year :) |
@giridharvc7: do you have any news ? |
@giridharvc7: do you have any news ? |
@giridharvc7 Any updates on this issue? |
@semangard @JoanChirinos Really appreciate the patience folks. We are expecting some delay in getting this done. The tentative timeline is mid-March. We will share explicit timelines within the next 2-3 weeks. |
We have a pre-request script for access token refresh when using authcodeflow if anyone is interested |
@shubhbhargav : do you have any news ? |
@semangard This is definitely on our radar. We are planning to release the first set of changes by mid-April :fingers-crossed: :) |
do you mind posting it here? |
@joaquin-rossi, as requested. As below this was a mod from the lovely people at Box's postman collection. Props to them. I just modded it a little to fit my needs. It requires a refresh token to run but once you have that, it checks before each request if the access token is expired and if it is, then gets a new one.
To use it, setup the collection with OAuth2 auth code flow security and using postmans normal UI generate a new access token AND refresh token --< this is what it needs, then copy the refresh token into the environment variable and it will then hand that in to create a new access and refresh token pair. |
Your welcome to fork the public workspace if that's preferred https://www.postman.com/universal-escape-252485/workspace/oauth2-0-auth-code-flow-token-refresher |
Cool write up about Postman's current OAuth2.0 Implementation https://dev.to/oneadvanced/oauth-20-authorization-code-grant-with-postman-part-1-5238 |
Great setup Alex, |
@Smitzel is refresh grant enabled on the provider you are calling? |
Will check it, thanks |
Is there a new ETA available on this feature? |
Any news ? |
hey hey |
We have picked up this feature. We will post updates as we get closer to release. |
I have the same issue as RashaBadri. |
@RashaBadri @mike-loux-planview Could you verify that you've received a valid @mike-loux-planview The |
|
OK, it does require a refresh token, then. One of the comments I saw on the demo video seemed to imply that it didn't, and that it would just resend the original request to get a new token with the existing client creds. So that's my fault for misunderstanding. That being said, it would be really cool if Postman could do that as well. The app I'm using the most doesn't issue refresh tokens, and while I can write a pre-request script to check and get a new token if necessary, if I didn't have to, that would be a nice time-saver. |
That is not how OAuth usually works @mike-loux-planview . |
Oh well, it would have been nice. The implementation we use doesn't have a login page or a return address - this is purely for server-to-server REST requests. I'll just write the pre-request script (or just continue manually grabbing a new token when I need it, since I'm lazy). At least it is good to know that if I do come across implementations that have refresh tokens, it will be sorted. |
I don't know how or where Insomnia get the Can I help in some way? |
According to OAuth2 specifications, you will not get a refresh token if the grant type is Client Credentials. Then you just have to repeat the call to retrieve a new access token when yours is expired. |
Yup. Which is what I have done for about half of the API's I work with on a regular basis - pre-request script that checks a token's expiry, then gets a new token if needed. |
Why was this closed? This isn't implemented |
Problem
As recommanded by security best pratices,
our access tokens are <= 5 min
BUT this means each 5 min we have to get a new access token and ask postman to use the new one
Solution wished
Postman gets 2 tokens:
Postman should refresh automatically the access token thanks to the refresh token
Postman should use the latest access token retrieved by this mean
Alternative
Let the tokens and additional infos like 'expires_in' been available through var envs in order to script the refresh mecanism.
Additional wish
I do not see why I have to click on "Use token" if there is only one token available or not expired
The text was updated successfully, but these errors were encountered: