bruno
bruno copied to clipboard
usebruno
Auth: OAuth 2.0
So far this is the only thing keeping me attached to Postman. Really keen to see this implemented.
We would love to move to Bruno as well, but since we are requiring grant_type=authorization_code we can't yet. Is there maybe a progress update on this feature? 🙌
Dependend on what you need you might want to check this as a workaround for e.g. the Client Credentials flow.
@Rens660 - I've got quite a similar one for Authorization Code. You'll need to do one manual step in the browser, but atleast it returns e.g. the corresponding link as part of an error message. Would you be interested in that?
Hi @tsteckenborn, Unfortunately I am stuck with using Authorization Code, but if you would share your workaround for if, I am definitely interested, thanks!
I will be building OAuth 2.0 functionality in this upcoming live coding stream with Hussain on Dec 16th https://www.youtube.com/watch?v=ZtNGbglTjps
Hi @tsteckenborn, Unfortunately I am stuck with using Authorization Code, but if you would share your workaround for if, I am definitely interested, thanks!
Take a look if that helps to ease the usage
Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.
Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.
FYI: Implicit flow is deprecated, should not be used any more (replaced by Authorization code + PKCE)
Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.
FYI: Implicit flow is deprecated, should not be used any more (replaced by Authorization code + PKCE)
Thanks for the heads up, though I don't see Authorization code + PKCE supported here yet either. I'll have to check to see if we have migration plans from Implicit flow.
Is there any progress on the OAuth2 support?
@helloanoop can you give any news on your progress or estimation when you continue on OAuth 2 support? The past weeks were very quiet around OAuth 2 :cry:
@fuxx
Thanks for your patience.
I was a bit tied up in working on the lang improvements that will be needed to unblock some other features in the pipeline. Given the immense pain point and upvotes on this feature, I will spend some time on this week on this ticket and will share some updates towards the end of this week.
Hej @helloanoop :)
Some weeks passed by and i guess the implementation could be more complicated then expected. Have you gained more insights on how you can proceed?
Hey @fuxx Appreciate your patience.
A big blocker was the Bru Lang design which I wanted to complete. This was very important to ensure that we have a way forward to introduce more features in the future and seamlessly allow folks to migrate to the new format (expected to be available by end of Feb)
Now there are two things in my pipeline
- File Uploads - expected to be launched this week
- OAuth 2.0 - expected to launched by next week
I am not touching any other feature (except critical bugs) unless above 2 are launched.
We're on the verge of completing OAuth2 integration, just polishing up the last details. Set to release tomorrow.
Hmmm... what's the reason you can't select and set this up at the collection level?
Would also +1 the comment of @dougbreaux. We also have multiple apis where every request if each api uses the same authentication. So it would be cool to have it configured one time per collection (because authentication between apis could be different) and use it for all requests in this collection.
Postman has a good solution here:
You can configure it as Inherit from parent (which is the collection most of the time) or custom for this request if you have one request in this collection which uses a different method to authenticate.
@dougbreaux in the request that fetches a token via OAuth, you should be able to write a post response script like below that saves the access_token to an collection variable.
bru.setVar("oauth_access_token", res.body.access_token)
And at the collection level, you could set this token to be sent as a Bearer Auth / In a Header. All request in collections can Inherit this auth by setting the request level auth as inherit
@tygore587 @dougbreaux Wouldn't this work ?
what's the reason you can't select and set this up at the collection level?
I think this makes sense. We will add support to configure this at the collection level so that there is no need to create a separate request just to do the auth stuff. This could also allow us to implement the refresh token functionality when the token expires.
cc @lohxt1
@helloanoop Thanks for the suggestion. I will check tomorrow at work if this works for me as a work around until you have the feature for the collection.
This is one of the only things it holds me back to suggest it as a postman alternative.
Will the collection wide configuration be scheduled for one of the next releases or are other feature more important to you at the moment?
Will the collection wide configuration be scheduled for one of the next releases or are other feature more important to you at the moment?
This is priority. We will get this done in the next outgoing release.
I will check tomorrow at work if this works for me as a work around until you have the feature for the collection.
Thanks! If at all you need help, I'd be happy to get on a call and work through this. I am available 9am-6pm GMT. My email id is [email protected] (if you want to send an invite)
Above invitation ⬆️ applies to everyone. I would love to get on a call and help you through any issues you are facing. All of this is free consultation :) Email me at [email protected] and I'd be happy to get on 1:1 call.
I'll second @tygore587 's sentiment, I require OAuth 2.0 for APIs I work on, can't use Postman on NixOS, and refuse to waste my time on the workarounds due to their user-hostile practice of removing older versions from the internet when they do releases.
Much respect to @helloanoop for being proactive and receptive to user needs, once collection-based config lands I'll definitely be recommending Bruno to my team.
Thank you for implementing this. The fact that you have this implemented this with having the option for a Callback URL makes Bruno stand out of it's competitors, stepping in for Postman, quite a lot.
However I am missing a way to provide a Code Challenge Method (like SHA-265 or Plain) for the PCKE, as we need to provide code_challenge like defined in RFC7636
Hi @helloanoop, first of all thanks for your implementation. Could be that in grant type client_credentials you are missing an option to set the access token url?
@helloanoop Again thanks for implementing it. I just tested it and want to give some feedback.
First like @timozn says, we need the grant type Authorization code (with PKCE)
I prepared a working example in postman.
I used https://demo.duendesoftware.com/ for it to test bruno and postman.
My configuration:
Grant Type: AuthorizationCode (With PKCE)
Callback URL: https://demo.duendesoftware.com/
Auth URL: https://demo.duendesoftware.com/connect/authorize
Access Token URL: https://demo.duendesoftware.com/connect/token
Client ID: interactive.confidential
Client secret: secret
Code Challenge method: SHA-256
Code Verifier: empty
Scope: openid profile email api offline_access
State: empty
If you don't want to configure it yourself, I prepared a Postman collection where I configured auth on the collection level and also a
Bru Request file (I needed to add a .txt at the end, because otherwise I could not upload the file) for you.
In Postman it opens a browser where I can login with the alice/alice demo account and I get back my token.
In bruno I get:
I hope this helps. If you need any further information, please let me know
@helloanoop Again thanks for implementing it. I just tested it and want to give some feedback.
First like @timozn says, we need the grant type
Authorization code (with PKCE)I prepared a working example in postman.
I used https://demo.duendesoftware.com/ for it to test bruno and postman.
My configuration: Grant Type:
AuthorizationCode (With PKCE)Callback URL:https://demo.duendesoftware.com/Auth URL:https://demo.duendesoftware.com/connect/authorizeAccess Token URL:https://demo.duendesoftware.com/connect/tokenClient ID:interactive.confidentialClient secret:secretCode Challenge method:SHA-256ode Verifier: empty Scope:openid profile email api offline_accessState: emptyIf you don't want to configure it yourself, I prepared a Postman collection where I configured auth on the collection level and also a Bru Request file(I needed to add a
.txtat the end, because otherwise I could not upload the file) for you.In Postman it opens a browser where I can login with the
alice/alicedemo account and I get back my token.In bruno I get:
I hope this helps. If you need any further information, please let me know
I have also an error with the Authorization code (flow).
Hi @helloanoop, first of all thanks for your implementation. Could be that in grant type client_credentials you are missing an option to set the access token url?
Also, thank you very much for implementing this. This has been a highly anticipated feature.
For client credentials both access token url and and also the scope is missing for us.
