ChatGPT解决这个技术问题 Extra ChatGPT

Sending JWT token in the headers with Postman

I'm testing an implementation of JWT Token based security based off the following article. I have successfully received a token from the test server. I can't figure out how to have the Chrome POSTMAN REST Client program send the token in the header.

https://i.stack.imgur.com/MqjLs.png

My questions are as follows:

1) Am I using the right header name and/or POSTMAN interface?

2) Do I need to base 64 encode the token? I thought I could just send the token back.

Hi, where can I see in POSTMAN the jwt token I've received?
@MLondei, it depends on the way the receiving server is configured. It can come back as a URL (find it in the URL string) or it can come back in the response body (find it in the response's body field). Those are the two major ones I'm aware of.
linkrot. new link: auth0.com/docs/design/web-apps-vs-web-apis-cookies-vs-tokens

M
Mick Cullen

For the request Header name just use Authorization. Place Bearer before the Token. I just tried it out and it works for me.

Authorization: Bearer TOKEN_STRING

Each part of the JWT is a base64url encoded value.

Just as a clarification, the "Header" field becomes Authorization and the "Value" field becomes Bearer[WHITESPACE]
Do you know what part of the field is encrypted? It appears that the data right after the last '.' separator is giving me what looks like garbage characters. I assume this is actually information encrypted by the Token generator?
Check out jwt.io .There is a section where you can paste a JWT and view its decoded contents, its the best way of seeing whats happening. The server secret string is used to make the last section of the token. JWT only signs the payload does not encrypt i.e. you can decode part 1 & 2 of the string but cannot validate it without the secret. self-issued.info/docs/draft-ietf-oauth-json-web-token.html
Can someone please elaborate on why we need to put Bearer before the JWT? Is this some kind of signal to the server that this is a JWT?
That is just the convention - you can find all details here: jwt.io/introduction
M
Mike Bovenlander

Here is an image if it helps :)

https://i.stack.imgur.com/OjNGc.png

Update:

https://i.stack.imgur.com/Ki615.png

How can I make it outfill the value with the latest JWT token?
P
Pablo Palacios

I am adding to this question a little interesting tip that may help you guys testing JWT Apis.

Its is very simple actually.

When you log in, in your Api (login endpoint), you will immediately receive your token, and as @mick-cullen said you will have to use the JWT on your header as: 

Authorization: Bearer TOKEN_STRING

Now if you like to automate or just make your life easier, your tests you can save the token as a global that you can call on all other endpoints as: 

Authorization: Bearer {{jwt_token}}

On Postman: Then make a Global variable in postman as jwt_token = TOKEN_STRING.

On your login endpoint: To make it useful, add on the beginning of the Tests Tab add: 

var data = JSON.parse(responseBody);
postman.clearGlobalVariable("jwt_token");
postman.setGlobalVariable("jwt_token", data.jwt_token);

I am guessing that your api is returning the token as a json on the response as: {"jwt_token":"TOKEN_STRING"}, there may be some sort of variation.

On the first line you add the response to the data varibale. Clean your Global And assign the value.

So now you have your token on the global variable, what makes easy to use Authorization: Bearer {{jwt_token}} on all your endpoints.

Hope this tip helps.

EDIT Something to read

About tests on Postman: testing examples

Command Line: Newman

CI: integrating with Jenkins

Nice blog post: master api test automation

Interesting, I'm unfamiliar with the concept of the Test tab and Postman coding. Is there a resource you recommend to get started with this?
Yup, there are some that I found useful: * getpostman.com/docs/testing_examples * blog.testproject.io/2016/06/22/master-api-test-automation * sm-cloud.com/testing-api-with-postman
Actually Postman is really interesting and pretty strong when it comes to automated testing. You can configure postman in such a way that it can build random data Global variables or Environment variables that you can run on the tests. And make iterative runs and test any response as endpoint unit tests. Save them and find errors when you change code. I haven't used the command line utility but I understand that you can configure it to run in your ci-pipeline.
Your can read about command line here: getpostman.com/docs/newman_intro
E
Emeka Mbah

Here is how to set token this automatically

On your login/auth request

https://i.stack.imgur.com/2LvKl.jpg

Then for authenticated page

https://i.stack.imgur.com/FxTC9.jpg

V
Vucko

I had the same issue in Flask and after trying the first 2 solutions which are the same (Authorization: Bearer <token>), and getting this: 

{
    "description": "Unsupported authorization type",
    "error": "Invalid JWT header",
    "status_code": 401
}

I managed to finally solve it by using: 

Authorization: jwt <token>

Thought it might save some time to people who encounter the same thing.

I was getting Authentication credentials were not provided in django using Bearer <token>. solved with jwt <token>. Thanks for the solution
A
Adi

If you wish to use postman the right way is to use the headers as such

key: Authorization

value: jwt {token}

as simple as that.

P
Pierre.Vriens

Open postman. go to "header" field. there one can see "key value" blanks. in key type "Authorization". in value type "Bearer(space)your_access_token_value".

Done!

j
jeffsama

For people who are using wordpress plugin Advanced Access Manager to open up the JWT Authentication.

The Header field should put Authentication instead of Authorization

https://i.stack.imgur.com/OywJD.png

AAM mentioned it inside their documentation,

Note! AAM does not use standard Authorization header as it is skipped by most Apache servers. ...

Hope it helps someone! Thanks for other answers helped me alot too!!

c
coda

https://i.stack.imgur.com/4Xgps.png

Everything else ie. Params, Authorization, Body, Pre-request Script, Tests is empty, just open the Headers tab and add as shown in image. Its the same for GET request as well.

Y
Yasitha Bandara

I did as how moplin mentioned .But in my case service send the JWT in response headers ,as a value under the key "Authorization". 

Authorization →Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbWFsIiwiZXhwIjoxNDk4OTIwOTEyfQ.dYEbf4x5TGr_kTtwywKPI2S-xYhsp5RIIBdOa_wl9soqaFkUUKfy73kaMAv_c-6cxTAqBwtskOfr-Gm3QI0gpQ

What I did was ,make a Global variable in postman as

key->jwt value->blahblah

in login request->Tests Tab, add 

postman.clearGlobalVariable("jwt");
postman.setGlobalVariable("jwt", postman.getResponseHeader("Authorization"));

in other requests select the Headers tab and give

key->Authorization value->{{jwt}}

R
RamanSM

Somehow postman didn't work for me. I had to use a chrome extension called RESTED which did work.

A
Abhi

In Postman latest version(7++) may be there is no Bearer field in Authorization So go to Header tab

select key as Authorization and in value write JWT

For v7.19.0+ and it's also been there for a while, there's a Bearer Token helper in the Authorization tab, adding the token value here (Hardcoded or as a dynamic variable) will create the same Authorization header for the request.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Links

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.