Test IAS with Postman

Here is a guide on how you can verify and test your client configuration using Postman.

Before you start, download our example Postman collection

Example Postman Collection

Step 1 - Navigate to the collection settings

After you have imported the example collection click the collection name in the collection list to open the settings.

Step1

Step 2 - Fill in your variables details

Next you need to fill in your client specific details in the collection variables. Click the Variables tab and fill in the following details and remember to save:

  • CLIENT_ID

  • CLIENT_SECRET

  • REDIRECT_URI

If you are using Postman Cloud to sync your work or share with your teammates you should protect your CLIENT_SECRET. By only setting the CURRENT VALUE the value is not synchronized to Postman's cloud.

Step2

Step 3 - Get New Access Token

Now you should be able to get new access token in Postman. Click the Authorization tab to open the authorization view. Everything should be configured using the variables.

Here you can update the Scope input if you want to test the client access to some specific scopes, but you should always include the openid and profile scopes. For example to test if the client is configured for offline access you could add the offline_access scope so the value would be openid profile offline_access.

We recommend to use PKCE even though you are using confidential client with secret. The PKCE improves security to prevent CSRF and authorization code injection attacks.

Step3

Step 4 - Authenticate

After clicking the Get New Access Token button Postman opens a dialog. If the client configuration is valid you should see the login screen where you can log in.

If you see some error message check out the Troubleshooting section for more details.

Step4

Step 5 - Receive tokens

If you authenticate successfully you should see the Manage Access Tokens dialog with your new tokens 🎉 You can use https://jwt.io/ to decode the tokens and view which claims it contains.

Step5

🐞 Troubleshooting

Here are the most common errors when testing the client configuration

invalid_request - Invalid Redirect URI

When you see the message invalid_request the most common cause is the Redirect URI provided is not registered as an allowed URI in the client defintion in the IAS.

You can edit the list of allowed URIs in the IAS admin portal under Application>Application URLs>Callback URL

InvalidRedirectUri

invalid_scope - Invalid Client Scope

When you see the message invalid_scope one or more scopes in the Scope input does either not exists or the client has not yet been granted access to some scopes.

You can view and edit the list of scopes granted to a client in the IAS admin portal under Application>Permissions.

InvalidScope

unauthorized_client - Invalid Client ID

When you see the message unauthorized_client the most common cause is that the Client ID is invalid.

Please verify that your configured Client ID is matching the Client ID shown in the IAS admin portal and make sure that you are connecting to the correct IAS environment.

InvalidClientId

Authentication failed - Invalid Client Secret

When you see a error message from Postman that the authentication failed and you find the message Error: invalid_client in the Postman Console the most common cause is the Client Secret is invalid.

Please verify that your configured Client Secret is matching the Client Secret shown in the IAS admin portal. Note that postman does not url encode client secrets before sending them so try manually url encoding your secret before entering it into Postman.

InvalidClientSecret

Last updated

Was this helpful?