# Test IAS with Postman

Here is a guide on how you can verify and test your client configuration using [Postman](https://www.postman.com/).

{% hint style="info" %}
Before you start, download our example Postman collection

{% file src="<https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-4d0466bbf72a91067f1c7e4c45ed54c7c8cd3151%2Fexample-test-auth.postman_collection.json?alt=media&token=71eaac0c-4355-4ad7-9f90-ee51ddefef60>" %}
Example Postman Collection
{% endfile %}
{% endhint %}

## Step 1 - Navigate to the collection settings

After you have imported the example collection click the collection name in the collection list to open the settings.

![Step1](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-977a55f9524cef15266455db14bd49e63f1b6f22%2Fstep1_click_collection.png?alt=media\&token=354d3750-63c6-4e1d-aeb1-621077be07e5)

## Step 2 - Fill in your variables details

Next you need to fill in your client specific details in the collection variables. Click the *Variables* tab and fill in the following details and remember to save:

* `CLIENT_ID`
* `CLIENT_SECRET`
* `REDIRECT_URI`

{% hint style="info" %}
If you are using Postman Cloud to sync your work or share with your teammates you should protect your `CLIENT_SECRET`. By only setting the **CURRENT VALUE** the value is not synchronized to Postman's cloud.
{% endhint %}

![Step2](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-ecac088c56268a242a21ba99aac09f6af5b82590%2Fstep2_fill_in_variables.png?alt=media\&token=52245462-cabf-4166-9011-e8c34c8bdfd9)

{% hint style="warning" %}
Remember to save your collection when you have updated the values.
{% endhint %}

## Step 3 - Get New Access Token

Now you should be able to get new access token in Postman. Click the *Authorization* tab to open the authorization view. Everything should be configured using the variables.

Here you can update the *Scope* input if you want to test the client access to some specific scopes, but you should always include the `openid` and `profile` scopes. For example to test if the client is configured for offline access you could add the `offline_access` scope so the value would be `openid profile offline_access`.

{% hint style="info" %}
We recommend to use [PKCE](https://datatracker.ietf.org/doc/html/rfc7636) even though you are using confidential client with secret. The PKCE improves security to prevent CSRF and authorization code injection attacks.
{% endhint %}

![Step3](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-5cb69b9d52b807ea90c9c632939bd5f9e8664342%2Fstep3_get_new_access_token.png?alt=media\&token=6934519c-9978-4b44-9270-213bb49f8e4f)

## Step 4 - Authenticate

After clicking the `Get New Access Token` button Postman opens a dialog. If the client configuration is valid you should see the login screen where you can log in.

If you see some error message check out the [Troubleshooting](#troubleshooting) section for more details.

![Step4](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-94659f2784034c6c2063fe751771d96478ac2d1c%2Fstep4_authenticate.png?alt=media\&token=a18de7bb-4243-42fe-831c-1a8b5761c16e)

## Step 5 - Receive tokens

If you authenticate successfully you should see the *Manage Access Tokens* dialog with your new tokens 🎉\
You can use <https://jwt.io/> to decode the tokens and view which claims it contains.

![Step5](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-0f89f177139efac48251cc63cec3720a910aa536%2Fstep5_receive_token.png?alt=media\&token=f1e787cb-c719-43f3-8c33-230b97651453)

## 🐞 Troubleshooting

Here are the most common errors when testing the client configuration

### invalid\_request - Invalid Redirect URI

When you see the message `invalid_request` the most common cause is the *Redirect URI* provided is not registered as an allowed URI in the client defintion in the IAS.

You can edit the list of allowed URIs in the IAS admin portal under Application>Application URLs>Callback URL

{% hint style="warning" %}
The *Redirect URI* is case sensitive and sensitive for trailing slash.
{% endhint %}

![InvalidRedirectUri](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-b7c1bb1cc26e4d2620f9ccd4ce4dbf4d5a449007%2Fts_invalid_redirect_uri.png?alt=media\&token=3bd9d970-20db-4886-a518-78896a7e0075)

### invalid\_scope - Invalid Client Scope

When you see the message `invalid_scope` one or more scopes in the *Scope* input does either not exists or the client has not yet been granted access to some scopes.

You can view and edit the list of scopes granted to a client in the IAS admin portal under Application>Permissions.

![InvalidScope](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-045bbe985a1422885e94de112fe127f14cbbfafb%2Fts_invalid_scope.png?alt=media\&token=434ff0cd-5530-4f33-a5a3-c62b29c1aa74)

### unauthorized\_client - Invalid Client ID

When you see the message `unauthorized_client` the most common cause is that the *Client ID* is invalid.

Please verify that your configured *Client ID* is matching the *Client ID* shown in the IAS admin portal and make sure that you are connecting to the correct IAS environment.

![InvalidClientId](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-13a233a05b0279533629f39ce87836f52243dcb7%2Fts_invalid_client_id.png?alt=media\&token=d57498dd-dd6c-4488-b739-e5fb38138bd9)

### Authentication failed - Invalid Client Secret

When you see a error message from Postman that the authentication failed and you find the message `Error: invalid_client` in the Postman Console the most common cause is the *Client Secret* is invalid.

Please verify that your configured *Client Secret* is matching the *Client Secret* shown in the IAS admin porta&#x6C;*.* Note that postman does not url encode client secrets before sending them so try manually url encoding your secret before entering it into Postman.&#x20;

![InvalidClientSecret](https://3924059971-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJWCB43mX_-7DO7e_Oj%2Fuploads%2Fgit-blob-2b39968cbdae60571105dc141e03cd815b5f8bbe%2Fts_invalid_client_secret.png?alt=media\&token=276abcee-091b-4213-8f68-dc54adc45032)