Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Postman : Authorisation Code Grant on Server 2016 - ADFS 4.0 - with template web API
{
"variables": [],
"info": {
"name": "ADFS My IIS",
"_postman_id": "f2145f47-b93d-b35a-5707-c115e866bf2b",
"description": "Auth code flow.",
"schema": "https://schema.getpostman.com/json/collection/v2.0.0/collection.json"
},
"item": [
{
"name": "Auth. Code Grant",
"description": "",
"item": [
{
"name": "Authorize Request",
"request": {
"url": "https://my-adfs/adfs/oauth2/authorize?client_id=a07...e75&response_type=code&redirect_uri=https%3A%2F%2Fmy-pc%2FTodoListWebApp%2F&response_mode=query&scope=user_impersonation+openid&resource=https%3A%2F%2Fmy-pc%2FTodoListService%2F",
"method": "GET",
"header": [],
"body": {
"mode": "raw",
"raw": ""
},
"description": "A sign in request to begin the OAuth 2.0 code flow. Be sure to copy & paste into a browser! Running this request in Postman will just return you the HTML of the ADFS login page. You need to fill in your own secret key and clientID. You can get the secret key and client ID from the ADFS wizard. This wizard also has the endpoints. Running this will ask you for your AD credentials. You need to copy the code - the section after '?code=' - into the next request."
},
"response": []
},
{
"name": "Token Request - Auth Code",
"event": [
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": "tests['Status Code is 200'] = (responseCode.code === 200);\n\nif (responseCode.code === 200) {\n \n try {\n var tokens = JSON.parse(responseBody),\n access_token = tokens.access_token;\n }\n\n catch(e) {\n console.log(e);\n }\n \n postman.setGlobalVariable(\"access_token\", access_token);\n}"
}
}
],
"request": {
"url": "https://my-adfs/adfs/oauth2/token",
"method": "POST",
"header": [
{
"key": "Content-Type",
"value": "application/x-www-url-form-urlencoded",
"description": ""
}
],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "client_id",
"value": "a07...e75",
"type": "text",
"enabled": true
},
{
"key": "scope",
"value": "openid",
"type": "text",
"enabled": true
},
{
"key": "redirect_uri",
"value": "https://my-pc/TodoListWebApp/",
"type": "text",
"enabled": true
},
{
"key": "grant_type",
"value": "authorization_code",
"type": "text",
"enabled": true
},
{
"key": "client_secret",
"value": "O1P...3Mvo",
"type": "text",
"enabled": true
},
{
"key": "code",
"value": "NjX...6hg",
"type": "text",
"enabled": true
}
]
},
"description": "The POST request to exchange an auth code for an access token. Be sure to replace the code with your own, that you received after signing in! Again you need to fill in your own client_id and client_secret. Then click 'Send'. This will return an access token, an ID token and a refresh token. You can see what's in the access / ID token by copy / paste into 'jwt.io' in a browser. "
},
"response": []
},
{
"name": "API Request",
"event": [
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": "tests['Status Code is 200'] = (responseCode.code === 200);\n"
}
}
],
"request": {
"url": "https://my-pc/TodoListService/api/values",
"method": "GET",
"header": [
{
"key": "Authorization",
"value": "Bearer {{access_token}}",
"description": ""
}
],
"body": {
"mode": "formdata",
"formdata": []
},
"description": "An example use of the access_token. Normally you would replace the access token with the one you got from the token request! This is done automatically. Just click 'Send'. You should get the default attributes from \"api/values\" back."
},
"response": []
}
]
}
]
}