How to setup OAuth 2.0 in Postman manually

In this post, I'll show you how to setup OAuth 2.0 manually without using Postman's built-in OAuth 2.0 feature.

Configure external library

First of all, Postman didn't provide a way to sign JWT tokens with a private key. Therefore, I had to use an external library to sign it. And we're going to use jsrsasign.

To use the library in Postman, you need to load the source code as a variable in Postman. You can create a request with GET method to https://cdn.jsdelivr.net/npm/[email protected]/lib/jsrsasign-all-min.min.js URL. Then, you can configure the Post-response script to save the response body as a variable. Here is the script to save the response body as a variable:

Post-response script

// I'm using collection variables to store the jsrsasign library, you can use environment variables as well
pm.collectionVariables.set("jsrsasign-js", pm.response.text());

Configure the OAuth 2.0 token

After that, you can create another POST method request to your oauth URL. And you can use the library by eval the variable in the Pre-request script. The example I'm going to show you how to get the OAuth 2.0 token for NetSuite. Here is the script to sign a JWT token with a private key:

Pre-request script

// import atob function to decode base64
var atob = require('atob');

// Resolve "ReferenceError: navigator is not defined"
var navigator = {};

// Resolve "ReferenceError: window is not defined"
var window = {};

// Load the jsrsasign library
eval(pm.collectionVariables.get("jsrsasign-js"));

// the current time in milliseconds
var currentTime = +new Date();

var issuedAtTimeSeconds = currentTime / 1000;
var expirationTimeSeconds = currentTime / 1000 + 3600;

// Create Header and Payload objects
var header = {
    "kid": pm.collectionVariables.get("client_assertion_kid"),
    "alg": "RS256",
    "typ": 'JWT',
};

// Payload below is an example for NetSuite, you can change it according to your OAuth 2.0 provider
var payload = {
    "iss": pm.collectionVariables.get("client_credentials_jwt"),
    "scope": "restlets,rest_webservices",
    "aud": pm.collectionVariables.get("oauth_url"),
    "exp" : Math.ceil(expirationTimeSeconds),
    "iat" : Math.ceil(issuedAtTimeSeconds)
};

// Prep the objects for a JWT
var sHeader = JSON.stringify(header);
var sPayload = JSON.stringify(payload);

// Use the jsrsasign module to create the signed JWT
var privateKey = pm.collectionVariables.get("private_key");
var password = pm.collectionVariables.get("keyPassword");

// Using base64 pem key, therefore we need to decode it
var prvKey = atob(pm.collectionVariables.get('pem'))

// Sign the JWT
var sJWT = KJUR.jws.JWS.sign(header.alg, sHeader, sPayload, prvKey);

pm.collectionVariables.set("client_assertion", sJWT);

Post-request script

pm.test("Access Token received", function () {
    pm.expect(pm.response.text()).to.include("access_token");

    jsonData = pm.response.json();
    pm.collectionVariables.set("access_token", jsonData.access_token);
});

Conclusion

That's it! You can now use the access_token to test your APIs in Postman.

Table of Contents