getting login acess_token with auth0 to postman

Question

I created an app in Go that includes https server with angular2 based client that uses auth0 for authentication, I have another app written in Go which is the API Server, this API Server has jwt middleware configured for auth0 at explained at https://auth0.com/docs/quickstart/backend/golang.

now... I want to use postman to test requests o my API Server but first I need to authenticate. how do I add authentication to my website to get an access token or something to forward with my API request?

I read the docs but I got really confused. any information regarding the issue would be greatly appreciated.

Using Postman Mac App 4.4.2

thanks!

update

so I installed Authentication API Collections on my Postman Mac App while being logged in to my auth0 account.

now I'm trying to get an access token to be used with the authentication header while posting to my Api Server.

I don't know which method I should use in the collection in order to get an access token.

Answer 1

It's quite interesting and tricky at the same time :)

First you need to get the token from Auth0 using Postman, remember you can get any info from App Settings in Auth0

In above picture, you see id_token and access_token. The trick here is to use Id_token to send with your requests, not Access_token. Do it as follow:

As you can see, for any request sending to API, we need to add a header called Authorization with value="Bearer {id_token}". Boom...Job's done :) Hope it helps

Answer 2

Here are a few approaches to test JWT-based APIs: https://auth0.com/docs/local-testing-and-development#client-side-applications-and-jwt

Client-side applications and JWT

This is usually the easiest scenario to test. One of the benefits of JSON Web Tokens is that they are stateless, which means that an application that consumes them only cares about the JWT's contents and not any previous state such as a session cookie.

There are mainly three approaches to obtaining JWTs for testing:

1. Manually generate a JWT with the needed data, and sign it with your Auth0 application's client secret. If you omit the exp claim from a token, most JWT libraries will interpret it as a token which never expires, though it's possible some libraries might reject it. The benefit of this approach is that it does not require Internet access or intervention from Auth0 at all.

2. Create a dummy user in a database connection, and programatically log in with this user through the resource owner endpoint. In order to get a JWT back, make sure to set the correct scope value. The benefit of this approach is that it will execute any rules that you have configured on your Auth0 account.

3. Use a browser bot (e.g. Selenium) which logs a dummy user in and retrieves a JWT. This approach may take some effort to develop and maintain, but it will also execute any redirection rules or MFA prompts that you have configured on your Auth0 account.