Software AG Products 10.11 | Integrate Software AG Products Using Digital Event Services | webMethods API Gateway Documentation | Using API Gateway | Usage Scenarios | Securing Access Token Calls with PKCE | How do I secure the access token with Authorization Code (With PKCE) grant type using postman?
 
How do I secure the access token with Authorization Code (With PKCE) grant type using postman?
This use case starts when you enforce the PKCE and ends when you get access the token securely using postman.
*To secure the access token
1. Create OAuth scope in the local authorization server.
2. Create an application with OAuth2 authentication strategy. For details about creating an application, see Creating an Application.
a. Click the Authentication tab to create a strategy with OAuth2 authentication.
Make sure you have selected the following mandatory fields for this use case:
*Select the Authentication schemes as OAUTH2.
*Specify the Authentication server as local.
*Select the Application Type as Public.
*Specify the grant type to be used to generate the credentials. For this specific use case, you must select authorization_code, which is dynamically populated from the authorization server.
*Specify the postman https://oauth.pstmn.io/v1/callback URL as redirect URI.
*Specify the OAuth scope that you have created for the local authorization server in Step 1.
b. Click Add to save the strategy.
c. Click Save to save the application.
3. In the Postman, under the Authorization tab, select the authorization type as OAuth2.0 from the TYPE drop-down menu.
a. In the Configure New Token section, select the grant type as Authorization Code (With PKCE).
b. Type the redirect URL as https://oauth.pstmn.io/v1/callback in the Callback URL text box .
c. Select the Authorize using browser check box
d. Type the authorization URL as http(s)://hostname:port/invoke/pub.apigateway.oauth2/authorize in the Auth URL text box
e. Type the http(s)://hostname:port/invoke/pub.apigateway.oauth2/getAccessToken in the Access Token URL text box.
f. Type the client ID and client secret in the Client ID and Client Secret text boxes respectively.
Note:
You can get the client ID and client secret from the Authentication tab of the Application screen.
g. Select the hashing method used to generate the code challenge from the Code Challenge Method drop down menu.
h. Specify the OAuth scope that you have created for the local authorization server in Step 1 in the Scope text box.
i. Select the client authentication as Send client credentials in body .
j. Click the Get New Access Token button.
k. Click the Approve button.
The MANAGE ACCESS TOKENS pop-up window displays the access token.