Updating Access Tokens in Postman

 Microsoft recently changed their rules regarding Azure issued token expirations.  Tokens will now expire after an hour and it appears there's very little you can do about that.  So, what do you do?  You need to make use of the refresh token.  A refresh token allows you go generate a new token and will have a much longer expiration time - Azure tokens have a three month lifespan by default.  When you generate a new token, you get a new refresh token also.  This means that while your token only lasts an hour, you can go as long as three months before you need to actually go through the token request process again.  As long as you use your refresh token before it expires (and it's not revoked), your access will effectively never expire.

From a security perspective, this is a good thing as it limits the damage that a misplaced token can do since a token can be revoked in no more than an hour.  From a development perspective, it means that applications using these tokens will now have to do a little more work.  It also means that Postman's built in OAuth handling will require you to generate an Azure token again when it expires as it does not have refresh capability.  With Azure, this means logging in to a Microsoft account and you may not want to go through that (also, it's good to be able to test this process in Postman since you will need to do it in your application).  To automate the use of refresh variables in Postman, you have to create a separate request and any token you receive will need to make it back to the requests using it.  Variables are a great way to do this but you still have to update the variable from the refresh response.

Here's how you do it.

This process assumes that you have all of the information needed to generate your token and already have a refresh token, which you can get using Postman's OAuth token manager.

The first thing you need to do is add some token variables to your collection.  Edit the collection and click on the variables tab to create them.

You will need two variables - one for the refresh token and another for the token itself.  You want to store the refresh token after each refresh so that you get maximum use out of it.  Once you have that, you can setup a refresh request.  This may be different depending on the API you're using.

You also need a script to update the variables.  This can be found under Tests.
Once you have this in place, you just need to setup your requests to use the token for authentication.
You should now be able to make API calls with your OAuth2 credentials and minimal effort.



Comments

Post a Comment

Popular posts from this blog

Accessing Dynamics NAV OData with Postman

Image
1/13/20 - This apparently only applies to NAV.  See note at the end for connecting to Business Central It took me a little while to nail down authenticating to a Dynamics NAV OData web service with Postman.  Fiddler does it quite easily but I suspect it is a little more intelligent while Postman requires the correct settings for everything. First, in NAV you need to have NTLM authentication enabled.  I have found this is required any time you want to use the web services with anything other than .NET (and even then...). Now, with NTLM enabled, you might think the authentication is NTLM but you'd be wrong.  It's Digest.  There are two flavors of Digest: MD5 and MD5-sess.  By default, Postman will come up with MD5.  I discovered it was supposed to be MD5-sess by using Chrome's developer console.  With this console open, make the GET request and you can see all of the data being exchanged. Within the Authorization header, toward the end, you wi...
Read more

When you are falsely accused of not having SQL Server Report Builder installed

Today I was updating some report objects from a text file for an older BC13 upgrade.  Yes, even at this late date BC13 can be an "upgrade".  Long story.  Anyhow, in the process of pulling in reports I got an error message To upgrade reports, you must have Microsoft SQL Server 2016 Report Builder installed. The problem is, I did have SQL Server 2016 Report Builder installed.  Some cursory Googling revealed that someone else had run across this and their solution was to install an older version of the report builder.  Not satisfied with this option, I ran the import under Process Monitor .  Process Monitor showed that BC was looking for Microsoft.ReportingServices.RdlObjectModel.dll and not finding it.  Sure enough, that file was nowhere to be found.  I did find an article on that indicating that it was a part of older report builder installations and I managed to find it on my development system under some Docker containers (of all places)....
Read more

Error with Zetadocs on Sharepoint Online

Image
I was recently setting up Zetadocs on a new server (existing database) and I got this message when closing the General Settings screen. Exception of type 'Microsoft.Dynamics.Nav.Types.Exceptions.Encryption.NavEncryptionKeyNotFoundException' was thrown. I couldn't find the error anywhere in Google, hence this post.  The problem is that on a new server, the key needed to decrypt Sharepoint Online's login information will not have been installed.  To fix this, first connect to the service where Zetadocs was first installed (or is working) and open the Enrcryption Management screen. Click the "Export Encryption Key" button and save the key to a file.  You will be prompted to secure the file with a password. Once you have the file saved, copy it to the new server then go into the Encryption Management screen on its service and click "Import Encryption Key".  Enter the password for your file and the new key will be imported.
Read more