How to persist an OAuth2 token (or use a refresh token) in Postman collections?

Nate Ritter picture Nate Ritter · Jan 28, 2016 · Viewed 31.6k times · Source

The goal

Be able to run a collection without going through the authorization process of every call individually prior to running the collection.

What I've attempted/noticed

  1. When using the OAuth2 authorization helper in Postman, I haven't discovered a method to save a returned refresh token, and thus use it when the access token expires to get a new one. (I've suggested this feature be placed into the helper in the Postman Github Issues.)

  2. I've tried creating a few steps at the beginning of the collection to replicate the helper, but cannot get past the step where user interaction is required to approve/deny (which makes sense as it's a security risk otherwise). However, I can't seem to figure out how to prompt the user either, the way the OAuth2 helper does.

  3. I've taken my expectations down a notch in regards to the refresh token and thought I could simply run the authentication on the first test in the list, saving the access token somehow in a global or environment variable, and then using that token in the all subsequent tests, but I have not found a way to save the access token generated via the OAuth2 helper.

I would love to know if there is a solution to this which results in collections being able to be run with minimal effort put into authorization. This becomes more important with the more tests written in a collection which all use OAuth2 authorization.

Side note: I've been using the Postman mac client, in case there is a different in clients I'm unaware of.

Answer

Percy Vega picture Percy Vega · Dec 21, 2016

Ok, first enter your OAUTH token URL, click on the Body tab, and fill out these POST parameters: client_id, grant_type, username, password, override.

enter image description here

Then, click on the Test tab, enter this text and then press Send:

var data = JSON.parse(responseBody);
pm.setGlobalVariable("access_token", data.access_token);
pm.setGlobalVariable("refresh_token", data.refresh_token);

enter image description here

Then enter one of your application URLs, click on the Headers Tab, and enter a parameter Authorization with a value Bearer {{access_token}}. Then click on Send.

enter image description here

Voila!