OAuth2 id_token in Authorization header 4.0.2 #1854
Comments
|
I agree! |
|
Yes, @Wanaco, we're working on a fix for this and will try to push it out soon. |
|
@Wanaco @joshboley We've pushed updates to the OAuth2 flow in the latest version (4.4.1) that should fix this. |
|
I am currently using Postman 4.10.5 I get a correct id_token but I cannot seem to add it to the request. It only gives me a "Use Token" button when I click on the retrieved token. This will only allow access to the authorization token and not the id_token. |
|
Version 4.10.7 here. Same issue. |
|
@abhijitkane This was addressed over a year ago and doesn't seem to be fixed. Are you guys still planning on fixing this? |
|
@Dismissile We're planning on major auth improvements in the near term, this will be a part of that. You can follow our product roadmap for consistent updates :) In any case, I'll let you guys know here when a fix lands on stable. |
|
Is it possible to access the token using a Pre-Request script? It’s a huge pain to have to copy the value directly.
From: Siddhant Sinha [mailto:notifications@github.com]
Sent: Wednesday, August 2, 2017 7:59 AM
To: postmanlabs/postman-app-support <postman-app-support@noreply.github.com>
Cc: Travis Ellis <travisellis@deliveron.com>; Mention <mention@noreply.github.com>
Subject: Re: [postmanlabs/postman-app-support] OAuth2 id_token in Authorization header 4.0.2 (#1854)
@Dismissile<https://github.com/dismissile> We're planning on major auth improvements in the near term, this will be a part of that. You can follow our product roadmap<https://trello.com/b/4N7PnHAz/postman-roadmap-for-developers> for consistent updates :)
In any case, I'll let you guys know here when a fix lands on stable.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1854 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AJ-Epu1PYh77HfDXrrdw-_4fwL39CbVUks5sUHKDgaJpZM4HwFE_>.
|
|
@Dismissile If you save the token to an environment variable, you can access it in the pre-request and test scripts. |
|
@madebysid, can you please describe how we do that in "Get New Access Token" dialog? |
|
Any updates on this? |
|
I’m also facing challenges with this issue - the Oauth2 authorization option is correctly retrieving both ID and access tokens from AWS Cognito, but I don’t have any option to choose which is used to authenticate, which means constant “unauthorized” errors. Any updates on a fix? Any workarounds in the interim (assuming we can’t control the tokens returned by the endpoint)? |
|
Same problem for me using AWS Cognito. It would be nice if there was a setting somewhere to allow me to indicate what token to use. Currently I have to copy the id token out of the payload and switch the auth to bearer token and paste it in. This is frustrating because it doesnt support the refresh token so I can only use the endpoint for an hour before I have to go through the auth again to get a new token. |
|
Duplicate of #492 |
|
Any update? |
|
This problem is back, evident with v7.16.1 |
|
Is there a resolution to this issue? I was hoping to use PostMan for automated testing; however, given the fact that the issue with trying to use id_token has been around for literally YEARS I have to conclude that this might not be the best tool for my company to continue using. |
|
The comments in the issue (#6987) clarified some concepts for me, Postman seems to do the right thing: |
|
Follow up? |
and others
When my team uses the OAuth2 flow to get a token, our oauth provider return both an access_token and and id_token. As of version 3.2.20, the id_token would show up in the Postman UI and we could select it and add it to an environment variable easily that would be passed in the Authorization header. On Friday, some team members were auto-upgraded to 4.0.2. After this upgrade, the only options we have in the UI are to add the token to the header or add the token to the URL. This issue with this is that we need the id_token added to the header, but Postman seems to only support adding the access_token to the header. Therefore, the only way for us to use Postman with oauth2 is to use the dev tools to inspect the returned request and copy and paste the id_token into the header and/or an environment variable. So, am I missing some feature that would allow us to do this without using dev tools or was this feature removed at some point along the way? If it was removed, it would be nice to have a third radio button that would allow you to see the tokens returned without using dev tools. Here's a screenshot of how it looked in 3.2.20 when a token was returned. Thanks so much.
The text was updated successfully, but these errors were encountered: