Postman pre-request script to automatically get an id_token from AWS Cognito using a Refresh Token and save it for reuse

postman-pre-request.js

/*  This Postman pre-request script allows using an id_token from an Amazon Cognito OAuth2 flow instead of the access_token.
    It only exists as a workaround because Postman's team has been ignoring requests to let us use an id_token instead of access_token since 2014.
    See: https://github.com/postmanlabs/postman-app-support/issues/8231 and https://github.com/postmanlabs/postman-app-support/issues/492

    It has been adapted to support AWS Cognito User Pools from https://gist.github.com/bcnzer/073f0fc0b959928b0ca2b173230c0669#file-postman-pre-request-js-L29
    It uses a refresh_token (which you must get manually) and exchanges it for an id_token, and refreshes it automatically as needed.
    You could use it to talk to most OAuth2 Endpoints with very minimal changes.

    How to use:

    1- Set your Collection Authorization type to "Bearer Token" using this value: {{_current_id_token}}
       Your Requests should be set to 'Inherit auth from parent'
    
    2- Copy this script into your Collection Pre-request Script. 

    3- Set the following variables in your collection, or/and in your environments as required by your use-case:
        The examples supplied here are for AWS Cognito
        - OAuth2BaseUrl: Your Amazon Cognito domain. eg: https://<your-domain-prefix>.auth.us-east-1.amazoncognito.com
        - OAuth2ClientId: Your Cognito App client id
        - OAuth2RefreshToken: You can get this by using the LOGIN or AUTHORIZATION endpoints as defined in https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
                              For our use-case, we copy the refresh_token from our existing application, which expires and must be re-entered after x weeks.
*/

// Get your Refresh Token from Takeoff's Local Storage and put it in this collection's Variables as OAuth2RefreshToken, in the Current Value Column (NOT INITIAL VALUE; THAT IS SYNCED ACROSS THE TEAM).

var url = pm.variables.get('OAuth2BaseUrl') + "/oauth2/token"; // https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
var clientId = pm.variables.get('OAuth2ClientId');
var refresh_token = pm.variables.get('OAuth2RefreshToken');

const echoPostRequest = {
  url: url,
    method: "POST",
    header: [
        'Content-Type:application/x-www-form-urlencoded'
    ],
    body: {
        mode: "urlencoded",
        urlencoded: [
            {key: "grant_type", value: "refresh_token"},
            {key: "client_id", value: clientId},
            {key: "refresh_token", value: refresh_token}
        ]
    },
};


if (!pm.variables.get('_current_id_token') || !pm.environment.has('_current_id_token_expires_at') || pm.environment.get('_current_id_token_expires_at') < (new Date()).getTime()) {
    console.info('id_token missing or expired, getting new one from: ' + url)
    
    pm.sendRequest(echoPostRequest, function (err, res) {
        if (err) { 
            console.log(err);
            console.error("Could not get id_token. Your OAuth2RefreshToken may be expired or invalid.")
        } else {
            console.log('Success. Saving the id_token')
            var responseJson = res.json();
            
            var expiryDate = new Date();
            expiryDate.setSeconds(expiryDate.getSeconds() + responseJson.expires_in);

            pm.environment.set('_current_id_token', responseJson.id_token)
            pm.environment.set('_current_id_token_expires_at', expiryDate.getTime())
        }
    });
} 

Was having an issue with an invalid refresh token (line return at the end of the variable). Took a while to track down, I suggest updating line 51-52 with the following:

        if (err || res.code != 200) { 
            if(!err)
                console.log(res.status);
            else
                console.log(err);

@mevansLA I made same change.