New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 Client Credentials: Support sending client_id and client_secret in body #2296
Comments
I noticed this too. They are actually sent in the |
Agreed. Using:
Azure AD expects those parameters as part of the body https://docs.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-client-creds Postman is sending them encrypted as Basic Authorization Header, so Azure AD is returning Unauthorized response. |
I'm also having this issue with Postman and Azure. I can manually use Postman to request a token - then copy & paste it, but that's clumsy. |
We're looking into a more customizable auth helper, which should help you guys out. Will keep you updated of its progress. |
Ok. will be much appreciated. |
Azure is implementing OAuth 2.0 wrong.
I would file a bug with Azure. There is no reason Azure should not be respecting the OAuth 2.0 spec. Related: #1360 |
I will ask the AAD team about this. In the meantime, you can use this approach: http://blog.jongallant.com/2017/03/azure-active-directory-access-tokens-postman/ |
@neverendingqs I can't quite get why you say Azure is implementing it wrong. In the very same link you provided it clearly says:
Seems to me that sending client_id and client_secret in the request body is correct, no? In your comment, you quoted a text that said is was NOT RECOMENDED but that doesn't mean it is wrong. |
@aldav82 - my take is that HTTP Basic authentication scheme must be supported, even if using the client credentials in the request body is also supported. The "alternatively" is making me rethink though. At its natural reading, it seems to override the MUST in the previous paragraph. It's strange to use MUST instead of RECOMMENDED though if an alternate is possible... |
guys any idea when is this getting fix? i notice the client_id and client_secret not being passed also as body form |
This is in our roadmap for Postman 5.3 (will be released around next week) Marking this as a |
I'm using Postman for Chrome version 5.5.2, OAuth2 Authorization, I do not see the "Client Authentication" drop-down in the "Get New Access Token" dialog box. Instead, I see the following fields in the dialog box: Callback URL, Token Name, Auth URL, Access Token URL, Client ID, Client Secret, Scope, Grant Type and a checkbox for "Request access token locally". Is there another way of specifying to send client credentials in body, other than from this dialog box? Why is the option missing? Thanks. Pat B. |
@querylife This is available only on our native apps. You can download them from https://www.getpostman.com/apps |
https://s18.postimg.org/evzrjs0yh/Screen_Shot_2016_08_30_at_09_32_25.png
https://s18.postimg.org/sqy228vdl/Screen_Shot_2016_08_30_at_09_32_37.png
You can see in the second screenshot that no client_id and client_credentials were sent at all
The text was updated successfully, but these errors were encountered: