Is it possible to use postman to get an access token?

I cannot get an access token using Postman’s own ‘Oauth2 -> Get new access token’

I’ve set up (docker) hydra to respond to (and 4445) - with the flag --dangerous-force-http

I have the (docker) login-consent responding at (/consent)

Both hydra and the login-consent are in a docker-compose together with a postgres db.

Client is set up correctly and I see it both in the db and by calling /clients/

If I use the ‘hydra token user…’ as in the documentation, the flow goes to the end and I get the access token.

If I try with Postman, I see the login screen. I enter the correct credentials then everything blows up. No CSRF cookie. Why? I set Postman to retain headers.

These are the last 4 entries in hydra’s log:

time="2020-04-28T10:06:17Z" level=info msg="completed handling request" measure#hydra/admin: method=PUT remote="" request="/oauth2/auth/requests/login/accept?login_challenge=9c803e96955a49b9b0871f768e722d97" status=200 text_status=OK took=1.687911ms
time="2020-04-28T10:06:17Z" level=info msg="started handling request" method=GET remote="" request="/oauth2/auth?client_id=edge-app&code_challenge=70ikY3XJWsqC0qQg66WxbXxJKcqqCBDXFO7_dJickWo&code_challenge_method=S256&login_verifier=15c069b3a3304ca3b4dce393b62bffba&redirect_uri=http%3A%2F%2F127.0.0.1%3A9010%2Fcallback&response_type=code&scope=data%3Awrite+profile%3Awrite+profile%3Aread&state=abcdefghi"
time="2020-04-28T10:06:17Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."
time="2020-04-28T10:06:17Z" level=info msg="completed handling request" measure#hydra/public: method=GET remote="" request="/oauth2/auth?client_id=edge-app&code_challenge=70ikY3XJWsqC0qQg66WxbXxJKcqqCBDXFO7_dJickWo&code_challenge_method=S256&login_verifier=15c069b3a3304ca3b4dce393b62bffba&redirect_uri=http%3A%2F%2F127.0.0.1%3A9010%2Fcallback&response_type=code&scope=data%3Awrite+profile%3Awrite+profile%3Aread&state=abcdefghi" status=302 text_status=Found took=2.526921ms

Thank you @hackerman for the link to the docs, but I had already poured over them to no avail.

From CSRF Issues

  • You are mixing domains with IP addresses in your request - for example using and localhost in the same flow.


  • You are running ORY Hydra via HTTP but are missing the --dangerous-force-http CLI flag.


  • You are running the OAuth2 flow in separate browsers, or in a browser with incognito mode. The Brave browser is also known for notoriously discarding cookies when used in “No-Tracking” mode.

No (I think Postman embeds Chromium)

  • You are running ORY Hydra behind a Reverse Proxy (e.g. Load Balancer) that strips the Cookie header. If the reverse proxy supports path rewrites that might also cause issues!


  • You are trying to do two OAuth2 flows at the same time in the same Browser.


  • You have changed the Cookie SameSite behavior. If this is the default value (you did not change it), this should not be an issue.


I also set the OAUTH2_EXPOSE_INTERNAL_ERRORS=true flag but cannot see anything interesting in the logs.

I’ve setup tracing, and I see until the last oauth2/auth trace which succeed and nothing else. No interesting stuff in the traces.

For the lolz, I’ve setup a clean project and followed exactly the Installation and Setup instructions… and the same problem appears.

The hydra token user method works, but requesting via Postman fails.

By using a quick and dirty client (in JS with the package simple-oauth) I can get the token.

Maybe it’s a Postman issue

I’m not sure how you use postman but I’m pretty sure that it will be hard to get it working with it. This stuff is supposed to run in a browser as it’s not just a bunch of REST APIs :slight_smile:

Maybe you’re not acquainted with Postman, but Postman spins up a little browser (I think it is Chrome based) that lets you see the login screen where you can enter [email protected]/foobar. You need to go to the Authentication tab in the request, select Oauth2 and ‘Get new access token’… this brings up a form which you fill with the usual stuff (code, redirect_uri, scopes, auth/token urls, etc.)

This is not the first time I use Postman, Oauth2 or a computer but it is the first time I try to implement something serious with Hydra and since I’ve successfully used Postman to request access tokens in other systems I was wondering if it was a problem with Postman or Hydra and maybe someone here had the same problem.

I know that going into lengthy explanation of non paying customer goes against your business model, but pointing out at the docs and basically saying RTFM it is not a good attitude from the owner of an open source project in 2020. If it was 30 years ago I would have understood.

I don’t use Postman and don’t have experience with it so yeah my answer might be misguided but I don’t really know how to help here? If the regular flow using a normal browser works, it has to do with postman not using the right cookies for the different requests. Maybe it’s related to having multiple Postman Tabs open? I honestly have no idea!

I understand that my answer frustrated you, and I’m sorry for that, but 99% of CSRF issues can be answered with that particular docs section. It’s 2020, sure, but taking 30 minutes of productive time to help everyone means that I can not write software, which in turn benefits noone except the person who’s question was answered.

Even getting a reply is not that common in open source and having a sense of entitlement that maintainers must (for whatever reason) be there to answer your questions is quite infuriating for 99% of people that dedicate so much time to helping anonymous others for usually nothing in return (except for some snarky comments sometimes). I am not saying that I am infuriated because I don’t really care - I am answering questions based on a balance of how much work I have to do and you can take my answers or leave it - but there are a lot more people that are quite sensitive to this so I suggest caution making such comments in other open source projects. It’s quite likely that you will be ignored or rebuffed. Might be different for a few orgs like Facebook that have teams of 10+ of engineers working on the open source stacks but if you’re a small shop that’s just not the case.