Using SeaCat Auth with Postman
Postman is a useful development tool for debugging apps that interact with SeaCat Auth. The major advantage is that Postman natively handles OAuth2.0 authentication and provides tools for auth token management.
Prerequisites
- Running instance of SeaCat Auth
- Check the
[general]
section in the config to make sureauth_webui_base_url
andpublic_api_base_url
variables point to the actual URLs of your SeaCat Auth WebUI
- Check the
- Running instance of SeaCat Auth WebUI
- Auth WebUI is required for authenticating in SeaCat Auth
- Check the proxy routing (in Nginx) to make sure it points to you SeaCat Auth backend correctly
Configure your Postman environment
- Import the latest collection
from the SeaCat Auth repo (located at
doc/seacat-auth-api.postman_collection.json
) - Set up a SeaCat Auth Postman environment.
The following variables need to be defined:
BASE_URL
should contain the base URL of your SeaCat API, for examplehttps://my-domain.int/seacat/api/seacat_auth
AUTH_URL
should contain the base URL of your SeaCat Auth, for examplehttps://my-domain.int/auth
. It is used for authenticating your session.
Create an OAuth2 authorized session
- In the Collections panel, open the context menu of your SeaCat Auth collection and choose Edit.
- Navigate to Authorization tab.
- For Authorization type choose OAuth 2.0
- Request a new access token and log in to your SeaCat Auth WebUI
- Your Postman session is now authenticated!
Postman access token details
- Grant type: “Authorization Code”
- Callback URL: http://localhost:8080/???? (???)
- Auth URL: http://localhost:8080/openidconnect/authorize
- Access Token URL: http://localhost:8080/openidconnect/token
- Client Id: [any string]
- Client Secret: [any string]
- Scope:
openid
- State: [empty string]
- Client Authentication: Send client credentials in the body
NOTE
Some API requests will be fulfilled only if you have access to specific admin resources
(authz:superuser
or authz:tenant:admin
).
Check the description of those calls to see if there is any access restriction.