发表新帖
发表新帖

How to persist an OAuth2 token (or use a refresh token) in Postman collections?

前端 未结
关注
4 2117
一整个雨季
一整个雨季 2021-01-30 05:50

The goal

Be able to run a collection without going through the authorization process of every call individually prior to running the collection.

4条回答
  • 我在风中等你
    我在风中等你 (楼主)
    2021-01-30 05:54

    I found an answer here on github.

    First, setup these environment variables:

    • url : (your API endpoint)
    • access_token : (blank)
    • refresh_token : (blank)
    • client_id : (your client_id)
    • client_secret : (your client_secret)
    • username : (your username)
    • password : (your password)

    Next, create a new call which gets an access_token using the password grant_type.

    In my case, I POST to {{url}}/access_token. Sent with this call is the following information as form-data key/value pairs specified in the Body tab:

    • grant_type : password
    • username : {{username}}
    • password : {{password}}
    • client_id : {{client_id}}
    • client_secret : {{client_secret}}

    Sending this POST will result in something like this response:

    {
  "access_token": "kciOMpcmRcGTKfoo",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "DMGAe2TGaFbar"
}

    Then, in the Tests tab, I added the following code to assign two of the environment variables, access_token and refresh_token.

    var data = JSON.parse(responseBody);
postman.setEnvironmentVariable("access_token", data.access_token);
postman.setEnvironmentVariable("refresh_token", data.refresh_token);

    NOTE: I also put a test in there, just to make sure at least this call worked properly as well, although this has nothing to do with the original question:

    var jsonData = JSON.parse(responseBody);
tests["token_type is Bearer"] = jsonData.token_type === "Bearer";

    Now any new call I create can use the access_token generated by that first call as an environment variable like this: {{access_token}}. In my case, I go to the Headers tab in a call/test and add this key/pair:

    • Authorization : Bearer {{access_token}}

    Bonus points: I haven't given an example here, but theoretically I could add a pre-request script which tests the current (non-blank) access_token against the API and, if it fails, get a new one using the given (non-blank) refresh_token. This would make it so I wouldn't have to worry about access tokens expiring.

    That all said, I am not fond of this solution because it requires adding this first access_token call to every sub-folder in my collection because if I want to run a sub-folder only and not the collection as a whole, I need to make sure I have a fresh access_token. Not doing so would mean all tests would fail when an access_token expires. If you never run sub-folders separately in your Collection Runner, you could get away with only creating one access_token call and setting it as the first call to run in the collection.

    But, for that reason, I'm not going to mark this as the correct answer yet. I'm guessing there is a better answer than what I've come up with - ideally one where I do not have to duplicate the same access_token call/test into each sub-folder, but do get the benefit of automated, non-interactive tests with the flexibility of running a sub-folder by itself or the collection as a whole.

    0 讨论(0)
 看不清?
提交回复
热议问题