Test IAS with Postman
Last updated
Last updated
Here is a guide on how you can verify and test your client configuration using Postman.
Before you start, download our example Postman collection
After you have imported the example collection click the collection name in the collection list to open the settings.
Next you need to fill in your client specific details in the collection variables. Click the Variables tab and fill in the following details and remember to save:
CLIENT_ID
CLIENT_SECRET
REDIRECT_URI
If you are using Postman Cloud to sync your work or share with your teammates you should protect your CLIENT_SECRET. By only setting the CURRENT VALUE the value is not synchronized to Postman's cloud.
Remember to save your collection when you have updated the values.
Now you should be able to get new access token in Postman. Click the Authorization tab to open the authorization view. Everything should be configured using the variables.
Here you can update the Scope input if you want to test the client access to some specific scopes, but you should always include the openid and profile scopes. For example to test if the client is configured for offline access you could add the offline_access scope so the value would be openid profile offline_access.
We recommend to use PKCE even though you are using confidential client with secret. The PKCE improves security to prevent CSRF and authorization code injection attacks.
After clicking the Get New Access Token button Postman opens a dialog. If the client configuration is valid you should see the login screen where you can log in.
If you see some error message check out the Troubleshooting section for more details.
If you authenticate successfully you should see the Manage Access Tokens dialog with your new tokens 🎉 You can use https://jwt.io/ to decode the tokens and view which claims it contains.
Here are the most common errors when testing the client configuration
When you see the message invalid_request the most common cause is the Redirect URI provided is not registered as an allowed URI in the client defintion in the IAS.
You can edit the list of allowed URIs in the IAS admin portal under Application>Application URLs>Callback URL
The Redirect URI is case sensitive and sensitive for trailing slash.
When you see the message invalid_scope one or more scopes in the Scope input does either not exists or the client has not yet been granted access to some scopes.
You can view and edit the list of scopes granted to a client in the IAS admin portal under Application>Permissions.
When you see the message unauthorized_client the most common cause is that the Client ID is invalid.
Please verify that your configured Client ID is matching the Client ID shown in the IAS admin portal and make sure that you are connecting to the correct IAS environment.
When you see a error message from Postman that the authentication failed and you find the message Error: invalid_client in the Postman Console the most common cause is the Client Secret is invalid.
Please verify that your configured Client Secret is matching the Client Secret shown in the IAS admin portal. Note that postman does not url encode client secrets before sending them so try manually url encoding your secret before entering it into Postman.
