Access Secured Azure Web API from Postman with OAuth 2.0 Authorization

I was working on a Web API and published the API to Azure App Service. I then enabled authentication and authorization using Azure Active Directory. Postman is a great tool to test REST APIs, however, it was bit tricky to setup OAuth 2.0 to test the API. I am outlining steps here to set up OAuth 2.0 and use Postman correctly to test Web API on Azure. Check out the OAuth 2.0 Authorization Framework to know basics about OAuth 2.0 Authentication/Authorization framework.

Setup OAuth 2.0

The first step is to make sure OAuth 2.0 is setup correctly for your API. To set it up follow the below steps:

  • Go to the Azure Active Directory on Azure Portal and select New application registration under App registrations as shown below:


  • Enter API name, API type as Web App / API and sign-on URL on following screen. Sign-on URL is your API URL


  • Once you hit Create, Your API app will be registered, come back to App Registrations and you should see now your API registered along with a unique application ID. This application Id will be used as resource id and client id when doing OAuth 2.0 authentication.


Configure OAuth 2.0 with Postman

  • Under the Authorization Tab, Select Type as OAuth 2.0 and click “Get New Access Token” as shown below:


  • Once you click “Get New Access Token” following screen will appear:


Here are all the parameter details to request the token successfully:

Token Name

Give any name for your reference to your token, You could see all the tokens later under Manage Token options.

Grant Type

Select Authorization Code, to know about each of the grant type, refer to link

Callback URL

Callback URL for an API app is the same as API address. You can also check this URL on azure portal. Azure Active Directory -> App Registration -> App Settings-> Reply URL

Auth. URL and Access Token URL

These URL are the Microsoft Authorization server URL and can be found on portal. Go to your Azure Active Directory -> App Registration -> Endpoints

Note: tenant id is a unique id for your azure active directory. You can also get this id from Azure Active Directory -> Properties -> Directory id

Note: Add a resource parameter to Authorization URL. After the change, authorization URL should look like[tenant id]/oauth2/authorize?resource=<Application ID> (Application ID is the unique id of your registered web API, you setup in step 1

Client Id

Client Id is the application Id of registered web api and is same as resource id.

Client Secret

Client secret needs to be generated on Azure Portal. Go to Azure Active Directory->App Registration -> Select Registered App -> Settings -> Keys to add a new key to get client secret for the web API app as shown below:


  • Description: enter key name
  • Expires: Select the duration of key expiry. You have option to set 1 year, 2 year or never expires.
  • Value: Any text, once you enter any text and text is converted to a key, copy it and save it as it is only shown once and then save the Key and use this key value as client_secret.


Scope is not a required parameter and can be left blank.


State is a key from the client and it can be any unique key you want. The same key is returned in response to make sure access token is returned to same client who requested it.

Client Authentication

Select Send as Basic Auth. Header

After providing all parameter values, click on Request Token, it will prompt Microsoft Login screen to enter credentials. Use any account which is part of your Azure Active Directory user info and grant access, once completed you will get the access token window showing the returned access token with all other info. Scroll down the screen and click “Use Token”. After closing the screen, click on “preview request” which adds the Authorization Headers to the request.


The issues I encountered when trying to create new access token:


AADSTS70002: The request body must contain the following parameter: ‘client_secret or client_assertion’.


Make sure, you provide a client_secret before requesting for access token


AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.


This error comes when supplied client_secret is not same as configured on portal, or client_secret is not configured. Make sure you supply a valid client_secret


AADSTS50001: Resource identifier is not provided.


This error was the most mysterious one and was difficult to find the root cause of it, because, postman does not give any specific parameter to supply resource and I was supplying Auth. URL without resource parameter. The resolution was to provide resource parameter as part of Auth. URL as described above in step 2.




If resource parameter value supplied as part of Auth. URL is not same as expected, then this error is returned. I initially provided resource parameter value as API url as described at many resources found online, and I got this error. I then change the resource value as Application ID of the Web API as described above in step 2 and it worked fine.


Authorize access to web applications using OAuth 2.0 and Azure Active Directory

OAuth 2.0 Authorization Framework

Securing a web API with Azure AD







3 thoughts on “Access Secured Azure Web API from Postman with OAuth 2.0 Authorization

  1. Pingback: Microsoft Integration Weekly Update: Jan 15, 2018 | Hooking Stuffs Together

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s