Is it possible to use postman to get an access token?

ORY Hydra
#1

I cannot get an access token using Postman’s own ‘Oauth2 -> Get new access token’

I’ve set up (docker) hydra to respond to http://127.0.0.1:4444 (and 4445) - with the flag --dangerous-force-http

I have the (docker) login-consent responding at http://127.0.0.1:9020/login (/consent)

Both hydra and the login-consent are in a docker-compose together with a postgres db.

Client is set up correctly and I see it both in the db and by calling /clients/

If I use the ‘hydra token user…’ as in the documentation, the flow goes to the end and I get the access token.

If I try with Postman, I see the login screen. I enter the correct credentials then everything blows up. No CSRF cookie. Why? I set Postman to retain headers.

These are the last 4 entries in hydra’s log:

time="2020-04-28T10:06:17Z" level=info msg="completed handling request" measure#hydra/admin:http://127.0.0.1:4444/.latency=1687911 method=PUT remote="172.18.0.4:56304" request="/oauth2/auth/requests/login/accept?login_challenge=9c803e96955a49b9b0871f768e722d97" status=200 text_status=OK took=1.687911ms
time="2020-04-28T10:06:17Z" level=info msg="started handling request" method=GET remote="172.18.0.1:33318" request="/oauth2/auth?client_id=edge-app&code_challenge=70ikY3XJWsqC0qQg66WxbXxJKcqqCBDXFO7_dJickWo&code_challenge_method=S256&login_verifier=15c069b3a3304ca3b4dce393b62bffba&redirect_uri=http%3A%2F%2F127.0.0.1%3A9010%2Fcallback&response_type=code&scope=data%3Awrite+profile%3Awrite+profile%3Aread&state=abcdefghi"
time="2020-04-28T10:06:17Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action."
time="2020-04-28T10:06:17Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=2526921 method=GET remote="172.18.0.1:33318" request="/oauth2/auth?client_id=edge-app&code_challenge=70ikY3XJWsqC0qQg66WxbXxJKcqqCBDXFO7_dJickWo&code_challenge_method=S256&login_verifier=15c069b3a3304ca3b4dce393b62bffba&redirect_uri=http%3A%2F%2F127.0.0.1%3A9010%2Fcallback&response_type=code&scope=data%3Awrite+profile%3Awrite+profile%3Aread&state=abcdefghi" status=302 text_status=Found took=2.526921ms
#2
#3

Thank you @hackerman for the link to the docs, but I had already poured over them to no avail.

From CSRF Issues

  • You are mixing domains with IP addresses in your request - for example using 127.0.0.1 and localhost in the same flow.

No

  • You are running ORY Hydra via HTTP but are missing the --dangerous-force-http CLI flag.

No

  • You are running the OAuth2 flow in separate browsers, or in a browser with incognito mode. The Brave browser is also known for notoriously discarding cookies when used in “No-Tracking” mode.

No (I think Postman embeds Chromium)

  • You are running ORY Hydra behind a Reverse Proxy (e.g. Load Balancer) that strips the Cookie header. If the reverse proxy supports path rewrites that might also cause issues!

No

  • You are trying to do two OAuth2 flows at the same time in the same Browser.

No

  • You have changed the Cookie SameSite behavior. If this is the default value (you did not change it), this should not be an issue.

No

I also set the OAUTH2_EXPOSE_INTERNAL_ERRORS=true flag but cannot see anything interesting in the logs.

I’ve setup tracing, and I see until the last oauth2/auth trace which succeed and nothing else. No interesting stuff in the traces.

For the lolz, I’ve setup a clean project and followed exactly the Installation and Setup instructions… and the same problem appears.

The hydra token user method works, but requesting via Postman fails.

By using a quick and dirty client (in JS with the package simple-oauth) I can get the token.

Maybe it’s a Postman issue

#4

I’m not sure how you use postman but I’m pretty sure that it will be hard to get it working with it. This stuff is supposed to run in a browser as it’s not just a bunch of REST APIs :slight_smile:

#5

Maybe you’re not acquainted with Postman, but Postman spins up a little browser (I think it is Chrome based) that lets you see the login screen where you can enter [email protected]/foobar. You need to go to the Authentication tab in the request, select Oauth2 and ‘Get new access token’… this brings up a form which you fill with the usual stuff (code, redirect_uri, scopes, auth/token urls, etc.)

This is not the first time I use Postman, Oauth2 or a computer but it is the first time I try to implement something serious with Hydra and since I’ve successfully used Postman to request access tokens in other systems I was wondering if it was a problem with Postman or Hydra and maybe someone here had the same problem.

I know that going into lengthy explanation of non paying customer goes against your business model, but pointing out at the docs and basically saying RTFM it is not a good attitude from the owner of an open source project in 2020. If it was 30 years ago I would have understood.

#6

I don’t use Postman and don’t have experience with it so yeah my answer might be misguided but I don’t really know how to help here? If the regular flow using a normal browser works, it has to do with postman not using the right cookies for the different requests. Maybe it’s related to having multiple Postman Tabs open? I honestly have no idea!

I understand that my answer frustrated you, and I’m sorry for that, but 99% of CSRF issues can be answered with that particular docs section. It’s 2020, sure, but taking 30 minutes of productive time to help everyone means that I can not write software, which in turn benefits noone except the person who’s question was answered.

Even getting a reply is not that common in open source and having a sense of entitlement that maintainers must (for whatever reason) be there to answer your questions is quite infuriating for 99% of people that dedicate so much time to helping anonymous others for usually nothing in return (except for some snarky comments sometimes). I am not saying that I am infuriated because I don’t really care - I am answering questions based on a balance of how much work I have to do and you can take my answers or leave it - but there are a lot more people that are quite sensitive to this so I suggest caution making such comments in other open source projects. It’s quite likely that you will be ignored or rebuffed. Might be different for a few orgs like Facebook that have teams of 10+ of engineers working on the open source stacks but if you’re a small shop that’s just not the case.