Let’s see how to set the access tokens for APIs which are not public and need some sort of Authentication and Authorization.
Access Tokens help clients securely call their web APIs with protection. There are lots of methods given in the Postman for providing the access token. When a user goes to the authorization tab in the Request user will find a drop-down like this:
OAuth Access Tokens:
OAuth access token generates in the form of a string value which is used by OAuth Client to send a request to the resource server. In authorization, the grant type is set to client credentials, when an application is requesting an access token for accessing their own resources, not on behalf of the user. In this blog, let’s see how to set OAuth2.0 access token, but before that let’s do a quick walkthrough on the working architecture of OAuth2.0 using client credentials.
OAuth2.0 Architecture
The client needs an access token to access the resource from the resource server. The client can request the access token to the authorization server with
Client id (client identifier)
Client secret (client identifier)
URI (address of the authorization server)
Scope (the amount of access permitted)
The authentication server authenticates the client using the client identifier issued to the client during the application registration process.
The scope sent during the access request may have multiple space-delimited values.
An access token issued to the client app may be granted with limited functionality access to the protected resource from the resource server.
The developer can implement APIs to enforce any scope he wishes. So, if a client receives a token that has one scope and it tries to call an API endpoint that requires some other access, the call will fail.
When the client sends a request for an access token, the client is basically asking the authentication server to grant access.
Now with this access token client can request the resource server to access the resource. Let’s see how to get an OAuth2.0 access token through Postman.
How to get the Access Token:
For using this token user will have to click on the drop-down shown above and select OAuth2.0 type for getting the access token.
The user will have to set the values in the fields shown above.
The Grant type should be Client Credentials.
Users must provide the access token URL to get the token.
The Client ID and Client secret are the confidential information that you will get from the clients. The Scope should be set to get the access token.
Now click on the Get New Access Token button and the following popup will appear.
This takes a few milliseconds to complete the authentication and then the user will have to click on Proceed button. The user will get the token like this:
After clicking on Use Token, the access token will automatically get added to the request header or request URL. User can also add header prefix while setting the value of the Key Authorization. Now the Request API is ready to use with all authorization data set.
In this way, the user can set the access tokens as per the requirement and send APIs with protection.
Conclusion:
It is good to use client authorization or credentials as this provides more confidentiality. If an application wants to keep a secret, it should create its own credentials for authentication. These clients are called Confidential Client. Client secret generates using the client’s own username and password. This secret is a shared secret between the client and the authentication server. OAuth authentication using client credentials should be used wherever possible.
Leave A Comment