Blog / web app security / USE OF POSTMAN WITH OPENID CONNECT PKCE AND API

USE OF POSTMAN WITH OPENID CONNECT PKCE AND API

OAuth 2.0 (on which OpenID Connect is based) supports many  flows . These are essentially different ways of using it, you will hear words like  implicit flowPKCE flow , etc.

As a web application, the gold standard is (usually) The Proof Key for Code Exchange (PKCE), specified in RFC 7636. It fixes the problem of needing a  client secret  (which cannot be safely shared into a web client).

Many API’s, Agilicus’ included, use OpenAPI to specify how they function. Authentication of these is usually left out of scope, but, provided as a bearer token. This means that if you write a web application, you want to directly use the RESTful API’s, and you do so by first authenticating via OpenID Connect PKCE flow and remembering the access token.

As a developer, you may use a tool like Postman, which allows you to interactively experiment with the API. Recently (as of v7.23.0, aka Canary) they have added this support. Let’s try.

First, we install the Postman (v7.23.0 or later).

Second, we get the OpenAPI Specification. Agilicus has this linked on the top right of our website as API. We select  Get New Access Token .

Now we we have a dialog popup. Postman has not implemented the  discovery  mechanism, so let’s take a look in another window how to find the answers. We’ll need  callbackauthorization_endpointtoken_endpointclient IDscopes . Your auth endpoint in this curl will vary as your top-level domain. The  callback  in Postman terminology is the redirect URI, use  urn:ietf:wg:oauth:2.0:oob .

$ curl https://auth.cloud.egov.city/.well-known/openid-configuration
{
"issuer": "https://auth.cloud.egov.city/",
"callback": "https://auth.ca-1.agilicus.ca/egov/",
"authorization_endpoint": "https://auth.cloud.egov.city/auth",
"token_endpoint": "https://auth.cloud.egov.city/token",
"jwks_uri": "https://auth.cloud.egov.city/keys",
"userinfo_endpoint": "https://auth.cloud.egov.city/userinfo",
"revocation_endpoint": "https://auth.cloud.egov.city/token/revoke",
"response_types_supported": [
"code",
"id_token",
"token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"groups",
"profile",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"iat",
"iss",
"locale",
"name",
"sub"
]
}

Leave a Reply

Your email address will not be published.