Azure REST API – Part 03 – Request Bearer Token in Postman

In the last blog I showed you how to configure an Application and Service Principal in Azure using PowerShell. We could have used the portal but the portal changes a lot and the cmdlets ae more consistent. In this blog I will show you how to request a bearer token using Postman. If you do not have Postman you can get it from here.

Getting Your Tenant ID

In order to request an OAuth2 bearer token we need to call the following endpoint:

POST https://login.microsoftonline.com//oauth2/token

You need the Tenant ID which is another way of saying which Azure Active Directory did I authenticate against. In my logged in PowerShell session I run:

Get-AzureRmContext | Select Tenant

Gather the Request Body Parameters

We will use what is referred to as OAuth 2.0 Client Credentials Grant which is discussed here. Within the Body of the POST request we need to set the following form-data key/value pairs.

grant_type: client_credentials

client_id: ddf3f917-f657-4759-8750-efa7ec91589e

client_secret: secretpassword

resource: https://management.azure.com/

The grant_type must be client_credentials.

The client_id is the Application Id which we created in the previous blog. (Get-AzureRmADApplication -DisplayName PostmanDemo).ApplicationID

The client_secret is our Service Principal password from the previous blog.

The resource is known as the Audience in OAuth speak. It determines what target the intended request is used with. Leave it out and this call will succeed but any other REST calls that use the token will fail as follows:

Running in Postman

Go ahead and fill in a postman request as follows and then click Send. If you were successful you should see a similar response to the one I have below.

Looking at the response properties we see expires_in set to 3599 seconds (1hr). This is the number of seconds the token is valid for thereafter you would need to request a new token. The actual token is stored in access_token.

Using Environments and Variables

Now we have our token we will need to add it to every subsequent call. One of the nice features of Postman is the ability to create multiple environments with each environment having its own set of parameters. I have three Azure subscriptions for example; so I create one environment per subscription and store the unique subscription id in each one.

In the top right hand corner click the gear icon

Click Add and create a new environment called PostmanDemo. Add a variable called tenantid and add your tenant id to the value. Add a variable called token which we will update after our token request has completed. Click Add again and close the window.


 

Go ahead and select the PostmanDemo in the top right hand corner dropdown.

If you click on the eye button next to the environment you selected, it shows the current values the variables are set to. As you can see token does not have a value yet.

Let’s change our URL to include the tenantid variable rather than the hardcoded value. First of all change the URL to the following:

https://login.microsoftonline.com/:tenantid/oauth2/token

Notice the :tenantid. This is the way you refer to a variables in a Postman URL

Now click the Params button to the right. It shows all the URL variables. In the Value enter {{tenantid}}. Notice as you type you get intellisense. Click Params again to close.

Click Send and make sure the call still works.

Updating Variables after a Request has Completed

Postman has a feature it calls Scripts
that runs Javascript within a node.js runtime. It allows us to pass data between requests. We have the ability to run some Javascript before a request is sent and after a request completes. The scope is also tied into Collections and Folders and we can execute pre and post scripts by collection and by folder. I’ll let you follow up on that. For the purposes of this demo I will scope the script at the individual request.

In our request click on the Tests link to open the Test window and enter the code below. Postman exposes a pm object that is used for pulling out the relevant information. Click here for more information on the objects available in scripts.

Click Send and then click on the Eye button to view the variables and values. Notice the token variable now has been populated.

I mentioned the token is in the format of a JSON Web Token (JWT). For fun if you navigate to http://jwt.calebb.net/ we can decode a token.

In the next blog I will show you how to call a specific request type API.