Best practice for developer/tester to get the access token

Hi Experts,

Recently i’m integrating the oauth authorization flow into our application. I implemented a simple login-consent app to get the access token and it works fine with browser. We plan to use the token generated by hydra to protect our API. However as a BE developer we might not contact the FE page(browser) in the development stage, especially when we write the integration test we expect that we can get the token by calling an api. i tried to get the token by trigger the authorisation flow in the BE but i always get stuck when the login provider try to redirect to consent from err (“The CSRF value from the token does not match the CSRF value from the data store”). When i debug i found that the hydra didn’t provide the csrf value in cookie if i didn’t trigger the request from browser so that might be the reason for this issue?

so my question is what is the best practice to work with hydra for BE developer/tester when you tried to get the access token in development/testing stage without integrate with browser?

Thank you!

Have you seen this page? https://www.ory.sh/hydra/docs/debugging#i-am-running-into-csrf-issues

Hi Aeneasr,

Yes i went through this page and i’m sure i’m following the rules listed there. Actually as i mentioned everything works fine if i work with browser. But if the request comes from postman or somewhere instead of browser it will cause the CSRF token issue, even i used the official sample https://github.com/ory/hydra-login-consent-node.

I presume the hydra is designed for the oauth request which triggered from browser may i correct? if so is it possible to get the token for the BE developer/tester in the development or testing stage without invoke browser? It would be great if you can share some of your experience. Thank you. :slight_smile:

No, OAuth2 is a browser protocol. Without cookies, no OAuth2!