How do I secure the access token with Authorization Code (With PKCE) grant type using postman?
This use case starts when you enforce the PKCE and ends when you get access the token securely using postman.
To secure the access token
1. Create OAuth scope in the local authorization server.
2. Create an application with OAuth2 authentication strategy. For details about creating an application, see
Creating an Application. a. Click the Authentication tab to create a strategy with OAuth2 authentication.
Make sure you have selected the following mandatory fields for this use case:
Select the
Authentication schemes as
OAUTH2.
Specify the
Authentication server as
local.
Select the
Application Type as
Public.
Specify the grant type to be used to generate the credentials. For this specific use case, you must select authorization_code, which is dynamically populated from the authorization server.
Specify the postman
https://oauth.pstmn.io/v1/callback URL as redirect URI.
Specify the OAuth scope that you have created for the local authorization server in Step 1.
b. Click Add to save the strategy.
c. Click Save to save the application.
3. In the Postman, under the Authorization tab, select the authorization type as OAuth2.0 from the TYPE drop-down menu.
a. In the Configure New Token section, select the grant type as Authorization Code (With PKCE).
b. Type the redirect URL as https://oauth.pstmn.io/v1/callback in the Callback URL text box.
c. Select the Authorize using browser check box.
d. Type the authorization URL as http(s)://hostname:port/invoke/pub.apigateway.oauth2/authorize in the Auth URL text box.
e. Type the http(s)://hostname:port/invoke/pub.apigateway.oauth2/getAccessToken in the Access Token URL text box.
f. Type the client ID and client secret in the Client ID and Client Secret text boxes respectively.
Note:
You can get the client ID and client secret from the Authentication tab of the Application screen.
g. Select the hashing method used to generate the code challenge from the Code Challenge Method drop down menu.
h. Specify the OAuth scope that you have created for the local authorization server in Step 1 in the Scope text box.
i. Select the client authentication as Send client credentials in body.
j. Click the Get New Access Token button.
k. Click the Approve button.
The MANAGE ACCESS TOKENS pop-up window displays the access token.