79749619

Date: 2025-08-28 21:30:06
Score: 0.5
Natty:
Report link

Expanding on the answer from @Guillaume.

How does one see what that request looks like?

From what I have seen Postman doesn't include a way to see what this request looks like, so you will have to use a third-party tool. I used Progress Telerik Fiddler, clicking the "Any Process" button at the top and dragging it to my Postman window. This will allow you to view the requests sent by that specific process, capturing the header, query parameters, etc. If you double-click on a request, you will see tabs to view the Headers, TextView, etc., though you may need to play around to understand exactly what it is doing.

Are these parameters (client id, client secret, etc.) placed in a POST body? What are the headers?

For OAuth 2.0, the client id and client secret are sent as a base64 encoded, colon (:) delimited Key-Value pair. For example, if your client id is "MyClientID" and your client secret is "MyClientSecret", you would put the two values together to be, "MyClientID:MyClientSecret", then the value is base64 encoded, and you would provide a header with the Key "Authorization" and a value of "TXlDbGllbnRJRDpNeUNsaWVudFNlY3JldA==".

For other parameters, such as "grant_type" and "scope", these are provided as part of the POST body, but if you were looking at the Fiddler results, it may not be clear what format is used for the POST body that Postman is sending. It turns out that (for v11.60.3) Postman uses the "x-www-form-urlencoded" format for sending OAuth 2.0 token requests.

Example OAuth 2.0 Request Results from Fiddler:

Headers:

POST /oath/token HTTP/1.1
Cache
    Cache-Control: no-cache
Client
    Accept: */*
    Accept-Encoding: gzip, deflate, br
    User-Agent: PostmanRuntime/7.45.0
Cookies
    Cookie
        PreventSameSiteRedirect=abcd1234-ab12-ab12--ab12-abcdef123456
Entity
    Content-Length: 136
    Content-Type: application/x-www-form-urlencoded
Miscellaneous
    Postman-Token: abcd1234-ab12-ab12-ab12-abcdef123456
Security
    Authorization: Basic TXlDbGllbnRJRDpNeUNsaWVudFNlY3JldA==
Transport
    Connection: keep-alive
    Host: my.webhost.com

TextView

grant_type=client_credentials&scope=my.webhost.com/scope.readonly

Example cURL code snippet for the above request (x-www-form-urlencoded):

curl --location 'https://my.webhost.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic TXlDbGllbnRJRDpNeUNsaWVudFNlY3JldA==' \
--header 'Cookie: PreventSameSiteRedirect=abcd1234-ab12-ab12-ab12-abcdef123456' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=my.webhost.com/scope.readonly'

Example cURL code snippet for the above request (application/json):

curl --location 'https://my.webhost.com/oauth/token' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic TXlDbGllbnRJRDpNeUNsaWVudFNlY3JldA==' \
--header 'Cookie: PreventSameSiteRedirect=abcd1234-ab12-ab12-ab12-abcdef123456' \
--data '{
    "grant_type": "client_credentials",
    "scope": "my.webhost.com/scope.readonly"
}'
Reasons:
  • Long answer (-1):
  • Has code block (-0.5):
  • Contains question mark (0.5):
  • User mentioned (1): @Guillaume
  • Low reputation (0.5):
Posted by: Spazmoose