OAuth 2.0 just got easier: introducing token refresh and ID token support
OAuth 2.0 has gained tremendous popularity in recent years—lately becoming the go-to standard when it comes to authenticating and authorizing APIs. It’s a powerful standard that comes with its own constraints to improve security. In most cases, the access tokens come with a short expiry, and Postman users have had to go through the tedious process of regenerating the token every time. OAuth 2.0 has also been extended by protocols such as OpenID Connect, which take OAuth 2.0 and add an identity layer on top for better authentication—but there had been no straightforward way in Postman to access this information.
We’ve been listening to your feedback around OAuth2.0, and today we are super excited to announce two new features that will enhance your OAuth2.0 experience.
Token refresh for OAuth 2.0
One of the most requested features, token refresh for OAuth 2.0 is now available in Postman. With this new feature, you can now easily refresh your OAuth 2.0 access tokens without having to go through the entire authorization process again. Simply click the Refresh Token button and Postman will take care of the rest. To make things easier, Postman will also automatically refresh the token for you before the token expires. This will save you time and increase your productivity. You can optionally disable this feature by turning off the auto-refresh token in the appropriate Authentication tab:
Support for ID tokens in OAuth 2.0
In addition to the token refresh feature, we have also added support for ID tokens in OAuth 2.0. ID tokens are a type of token used to identify the end user who has authenticated with an OAuth 2.0 provider. With support for ID tokens in Postman, you can now quickly access the user’s identity information, making it easier to work with OAuth 2.0 authentication in your APIs. Simply choose between an access token and ID token for your API’s authentication:
We hope these new features will make your work with OAuth 2.0 and Postman even more streamlined and efficient. As always, we are committed to providing you with the best possible API client experience, and we will continue to add new features and improvements to optimize your workflows. Stay tuned to the Postman blog for future updates.
Great
How about fixing PKCE support for OAuth in Azure? Just need to add an origin header. Reported on 2021
Hello, how can I access ID Token or put value in variable?
I can get pm.request.auth.parameters().get(‘accessToken’) is there a way to access ID Token in the same way?
This is a fantastic start. However, there when using AuthCode w/ refresh, many platforms require a separate URL to refresh the token. Is there going to be an option to add the refresh URL in the future? Thanks!
Can’t see the Access token/ID token option.
I cannot see the refresh token option in the Authorization tab. I use the scratch pad for most of my testing.
Is there a way to get access to the value of this token from a “Pre-request script”? At the time, I’m unable to find a way to get the value before executing a main request, I need this value to run a previous request within the “Pre-request script” section through “pm.sendRequest” function.
Hello! I have successfully set up a Collection Run and am able to run it manually and receive expected emails. However, when I set up a Scheduled Run, I see it’s healthy, but don’t receive any emails. We use Oauth 2.0 and I have the token set to refresh before each run. Any ideas of why my requests wouldn’t be sending for the automated runs?