Challenge - 5 Problems

🎖️

OAuth 2.0 Flow Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

OAuth 2.0: Purpose of Authorization Code

In the OAuth 2.0 Authorization Code flow, what is the main purpose of the authorization code?

AIt is a refresh token used to get new access tokens after expiration.

BIt is the final token used to access protected resources directly.

CIt is a temporary code used to obtain an access token securely without exposing user credentials.

DIt is a client secret used to authenticate the client application.

Attempts:

2 left

❓ Predict Output

intermediate

2:00remaining

Postman: OAuth 2.0 Access Token Retrieval Result

Given this Postman OAuth 2.0 token request setup, what will be the result if the client_id or client_secret is incorrect?

Postman

POST /oauth/token HTTP/1.1
Host: auth.example.com
Content-Type: application/x-www-form-urlencoded

client_id=wrong_id&client_secret=wrong_secret&grant_type=authorization_code&code=abc123&redirect_uri=https://app.example.com/callback

A{"error":"invalid_client","error_description":"Client authentication failed"}

B{"access_token":"xyz789","token_type":"Bearer","expires_in":3600}

CHTTP 500 Internal Server Error

D{"error":"invalid_grant","error_description":"Authorization code expired"}

Attempts:

2 left

❓ assertion

advanced

2:00remaining

Validating OAuth 2.0 Access Token Response in Postman Test Script

Which Postman test script assertion correctly verifies that the access token is present and is a non-empty string in the OAuth 2.0 token response?

Postman

pm.test("Access token is present and valid", function () {
    const jsonData = pm.response.json();
    // Assertion goes here
});

Apm.expect(jsonData.access_token).to.exist.and.equal(true);

Bpm.expect(jsonData.access_token).to.be.a('string').and.not.empty;

Cpm.expect(jsonData.access_token).to.be.undefined;

Dpm.expect(jsonData.access_token.length).to.be.above(10);

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Debugging OAuth 2.0 Token Expiry Handling in Postman

You have a Postman test script that checks if the access token expires in less than 5 minutes and fails the test if so. The script is:

pm.test("Token expiry is sufficient", function () {
    const jsonData = pm.response.json();
    pm.expect(jsonData.expires_in & 300).to.be.true;
});

What is the issue with this script?

AThe test incorrectly expects expires_in to be less than 300 seconds.

BThe test should check for jsonData.access_token instead of expires_in.

CThe pm.expect syntax is invalid and will cause a syntax error.

DThe bitwise AND operator (&) is used instead of the greater than operator (>), causing incorrect evaluation.

Attempts:

2 left

❓ framework

expert

3:00remaining

Automating OAuth 2.0 Authorization Code Flow in Postman Collection Runner

Which approach correctly automates the OAuth 2.0 Authorization Code flow in Postman Collection Runner to obtain and use access tokens dynamically?

AUse a pre-request script to request the authorization code manually, then exchange it for an access token and save it to an environment variable for subsequent requests.

BManually copy the access token from the browser and paste it into Postman environment variables before running the collection.

CSet the access token as a global variable once and reuse it indefinitely without refreshing.

DUse Postman's built-in OAuth 2.0 token helper to get the token once and hardcode it in the Authorization header.

Attempts:

2 left