Continuing work on a portion of a side project tonight and prototyping some API access and calls to Salesforce were on the menu tonight. Since I don't want to go down the wrong road in code yet, I wanted to configure Postman collection to test out the Salesforce API and learned a bunch. For complete details on Salesforce API OAuth options see the documentation. This post only covers a single scenario to enable using the Authorization Code flow.
Postman Environment for Request Variables
I set up an environment with variables needed for the testing. The grant type of Authorization Code can be set in the collection Authorization tab and the Postman authorization will complete the process of exchanging the authorization code for an access token.
The key variables are the client-id and client-secret value, as well as the scopes for use in my situation which were api web refresh_token offline_access. The refresh_token and offline_access enable retrieving a refresh token for use in reducing the number of prompts to the user for access tokens when they expire.
Postman Collection Creation
A Postman collection is the best way to create a collection of API calls and inherit the environment for access token and refresh token management during some testing.
The image below configures the Authorization tab of the collection to use the Authorization Code flow, and under the covers uses the Auth URL of https://login.salesforce.com/services/oauth2/authorize and the Access Token Url of https://login.salesforce.com/services/oauth2/token to build the urls for getting the authorization code and exchanging that code for an access and refresh token.
The Authorize using browser is required. Behind the scenes, clicking the Get New Access Token button calls an authorize url similar to the one below and will prompt the use to login and approve any scopes requested. Line breaks and *** are added for readability.
https://login.salesforce.com/services/oauth2/authorize?
client_id=3MVG9IHf***O8G2jxBLJA6uZGyPFC5Aejq
&redirect_uri=https://oauth.pstmn.io/v1/callback
&response_type=code
Once the code is received, then Postman calls the token endpoint similar to this:
https://login.salesforce.com/services/oauth2/token?
grant_type=authorization_code
&code=afkklrQLe7sxWwMY***_JQFuLwHRaRA==
&client_id=3MVG9IHf***O8G2jxBLJA6uZGyPFC5Aejq
&client_secret=*******************
&redirect_uri=https://oauth.pstmn.io/v1/callback
The access token is returned and can be applied to any call in the collection using Postman's {{variable}}} replacement syntax.
Using Postman collections, environments and some scripting enables testing a secured API using Postman rather than coding a harness, authentication, authorization and more.