Microsoft AAD OAUTH2.0 Postman Collection

This tutorial has tow main goals:

1. Registering an application in Azure

2. Testing the OAUTH2 APIs with Postman

Registering an application in Azure

1. Click: Active Directory blade

2. Click: App Registration blade

3. Click: Register an application

4. Add the value in Redirect URI: https://www.getpostman.com/oauth2/callback

5. Click: Authentication blade and it should look like the screenshot below

6. Click: Certificates and secret

7.Click: New client secret and add a description for e.g postman-key and save.

8.Copy the value from step 7 and save it somewhere as this is the only time when you will be able to see the value of the client secret key.

9. Get the client id and the tenant id of your application and save it for later usage. See screenshot below.

10. Click: API permission and be sure that your application has the following permissions:

Testing the OAUTH2 APIs with Postman

1. For this part of the tutorial you will need the client-secret from step 7 above, client id and tenant id.

2. Download postman from the following link: https://www.getpostman.com/

3. Launch Postman and create a new collection, e.g OAUTH2.0 AAD

4. Lets try to create a call to the microsoft graph api in order to get the user information, call it e.g Get My User Info, GET: https://graph.microsoft.com/v1.0/me

5. Under the Authorization Tab choose Type: OAUTH2.0 and click Get New Access Token

6. Fill the following values as shown in the snippet below:

• Grant Type : Authorization Code

• Auth URL: https://login.microsoftonline.com/your-tenant-id-xxx/oauth2/v2.0/authorize

• Callback URL: https://www.getpostman.com/oauth2/callback

• Client Id from above

• Client secret from above

• Scope: openid https://graph.microsoft.com/user.read

7. Hit the Request Token button

8. You will get redirected to microsoft azure login page and after you authenticate yourself AAD will issue one bearer token and one id token for the postman application as below:

9. If you scroll to the bottom of the popup, click Use Token, and then click Send the main page of Postman to execute the get Request. Hopefully you will see a similar result:

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity", "businessPhones": [], "displayName": "edrin gjoleka", "givenName": "edrin", "jobTitle": null, "mail": null, "mobilePhone": null, "officeLocation": null, "preferredLanguage": "en", "surname": "gjoleka", "userPrincipalName": "xxxxxxxxxxxxxxxxxxxxxx", "id": "xxxxxxxxxxxxxxxxxxxxxxxxxxx" }

If you want to know more about access tokens and how to validate them read the next post.

https://www.jstack.io/post/analyzing-oauth2-access-tokens-issued-by-azure-ad

Happy coding :)