Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth 2.0 Refresh Token always sends basic auth #12770

Open
1 task done
DominicSaladin opened this issue Apr 4, 2024 · 2 comments
Open
1 task done

OAuth 2.0 Refresh Token always sends basic auth #12770

DominicSaladin opened this issue Apr 4, 2024 · 2 comments
Assignees
@abhijeetborole
Labels
Auth product/api-client

Comments

@DominicSaladin
Copy link

Is there an existing issue for this?

  • I have searched the tracker for existing similar issues and I know that duplicates will be closed

Describe the Issue

When using the auto token refresh feature or the manual refresh token feature, postman always sends a request with basic auth, even if the client authentication is set to "Send client credentials in body".

Also the use of the advances parameters doesn't seem to work for this:
image

The issue was reported one year ago for macOS #11668 and #12110

Steps To Reproduce

  1. Set up Authorization for OAuth 2.0
  2. Set client authentication to "Send client credentials in body"
  3. Request a new access token
  4. Refresh token
    image

Screenshots or Videos

No response

Operating System

Windows

Postman Version

10.24.16

Postman Platform

Postman App

User Account Type

Signed In User

Additional Context?

No response
@abhijeetborole
Copy link
Member

abhijeetborole commented Apr 5, 2024
edited

Hey @DominicSaladin, thanks for reporting this issue. Postman takes a snapshot of the headers/body/url when the token is generated as this token is stored locally and available across collections and workspaces. Changes to the refresh request parameters will reflect when you generate a new token. Could you try to:

  • Add the params you wish to override in the Refresh Request section, your current setup is fine to override the client_id and client_secret and send them in the body.
  • Generate a new token once this configuration is setup in the Refresh Request section.
  • Try refreshing this token.

Let me know if this fixes the issue for you.
E.g.

Screen.Recording.2024-04-05.at.12.04.34.PM.mov

@abhijeetborole abhijeetborole self-assigned this Apr 5, 2024
@DominicSaladin
Copy link
Author

Thanks @abhijeetborole that actually worked! But isn't that a weird behavior? When using Postman, this behavior is not clear and even if it takes a snapshot of the get access token request, why do I have to specify the client_id and client_secret manually?
When getting the access token, I don't have to specify those parameters and it gets sent like it should.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abhijeetborole abhijeetborole

Labels
Auth product/api-client
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abhijeetborole @DominicSaladin