Postmantesting~10 mins

OAuth 2.0 flow in Postman - Test Execution Trace

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Test Overview

This test checks the OAuth 2.0 authorization code flow in Postman. It verifies that the access token is successfully retrieved and can be used to access a protected API endpoint.

Test Code - Postman

Postman

pm.test("OAuth 2.0 Access Token Retrieval and API Access", function () {
    // Step 1: Request access token using authorization code
    pm.sendRequest({
        url: pm.environment.get('token_url'),
        method: 'POST',
        header: {
            'Content-Type': 'application/x-www-form-urlencoded'
        },
        body: {
            mode: 'urlencoded',
            urlencoded: [
                { key: 'grant_type', value: 'authorization_code' },
                { key: 'code', value: pm.environment.get('auth_code') },
                { key: 'redirect_uri', value: pm.environment.get('redirect_uri') },
                { key: 'client_id', value: pm.environment.get('client_id') },
                { key: 'client_secret', value: pm.environment.get('client_secret') }
            ]
        }
    }, function (err, res) {
        pm.expect(err).to.be.null;
        pm.expect(res).to.have.property('status', 200);
        const jsonData = res.json();
        pm.expect(jsonData).to.have.property('access_token');
        pm.environment.set('access_token', jsonData.access_token);

        // Step 2: Use access token to call protected API
        pm.sendRequest({
            url: pm.environment.get('protected_api_url'),
            method: 'GET',
            header: {
                'Authorization': `Bearer ${jsonData.access_token}`
            }
        }, function (err2, res2) {
            pm.expect(err2).to.be.null;
            pm.expect(res2).to.have.property('status', 200);
            pm.test('Protected API returns expected data', function () {
                const apiData = res2.json();
                pm.expect(apiData).to.have.property('user');
            });
        });
    });
});

Execution Trace - 4 Steps

Step	Action	System State	Assertion	Result
1	Send POST request to token endpoint with authorization code and client credentials	Postman sends request to token_url with correct headers and body	Response status code is 200 and contains access_token	PASS
2	Extract access_token from response and save to environment variable	access_token stored in Postman environment	access_token is not empty or null	PASS
3	Send GET request to protected API endpoint with Bearer token authorization header	Postman sends request to protected_api_url with Authorization header	Response status code is 200	PASS
4	Verify protected API response contains expected user data	Response JSON includes 'user' property	'user' property exists in response JSON	PASS

Failure Scenario

Failing Condition: Authorization code is invalid or expired, or client credentials are incorrect

Execution Trace Quiz - 3 Questions

Test your understanding

What is the first step in the OAuth 2.0 flow tested here?

ARefreshing the access token

BCalling the protected API without a token

CRequesting an access token using the authorization code

DLogging out the user

Key Result

Always verify that the access token is correctly retrieved before using it to access protected resources. This ensures the OAuth 2.0 flow is working end-to-end.