[PR #476] [MERGED] OAuth 2.0/OIDC Access Token Retrieval Support #2644

New issue

Closed

opened 2026-03-17 00:19:46 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 00:19:46 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/476
Author: @reefqi037
Created: 1/7/2020
Status: ✅ Merged
Merged: 1/7/2020
Merged by: @liyasthomas

Base: master ← Head: feature/oauth-support

📝 Commits (10+)

d24b917 added oauth token ui
5377c69 add oauth handler
b98d907 fix token placement
2e7e40c display error & disable input based on user input
83a20bd implement oidc discovery
2a818dc comment correction
df48e85 added token managements
f847cbe Added token management
161c0b7 added token request management
9d56af4 Merge branch 'master' into feature/oauth-support

📊 Changes

6 files changed (+764 additions, -8 deletions)

View changed files

➕ assets/js/oauth.js (+175 -0)
📝 lang/en-US.js (+21 -1)
📝 package-lock.json (+1 -1)
📝 pages/index.vue (+531 -6)
📝 store/mutations.js (+24 -0)
📝 store/state.js (+12 -0)

📄 Description

This PR adds OAuth2.0/OIDC Access Token retrieval function to Postwoman 🎉

Main Feature

With this feature, OAuth 2.0 access token can be retrieved directly from inside Postwoman.
Since Postwoman is a web-based SPA, it have no way to hide client secret used in the normal OAuth 2.0 flows. Therefore, only Authorization Code Flow + PKCE is implemented.

Additional Features

Automatic configuration using OpenID Connect Discovery endpoint ( Configure endpoints automatically! )
Access Tokens Management ( Save, reuse, and delete multiple access tokens )
Token Request Management ( Save, reuse and delete multiple authorization endpoints configuration )

Screenshots

Main UI
Access Token Management UI
Token Request Management UI

Limitations

Users can only use OAuth Service Providers that provide PKCE support for client authentication.
Users have to register Postwoman as callback URL and trusted/allowed origin (CORS) in the OAuth application and Service Providers' settings.

There should be room for improvements but for the time being, I think the core functions here should works ( tested with Okta and Auth0 as Service Providers ). Feel free to suggest and improve 👨‍💻 👩‍💻 🚀

fixes #337

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/476 **Author:** [@reefqi037](https://github.com/reefqi037) **Created:** 1/7/2020 **Status:** ✅ Merged **Merged:** 1/7/2020 **Merged by:** [@liyasthomas](https://github.com/liyasthomas) **Base:** `master` ← **Head:** `feature/oauth-support` --- ### 📝 Commits (10+) - [`d24b917`](https://github.com/hoppscotch/hoppscotch/commit/d24b917c173a7077ea96e4225b9c63b4285c54ca) added oauth token ui - [`5377c69`](https://github.com/hoppscotch/hoppscotch/commit/5377c69b407c65fb8c1d522ccc31be73ee5a450d) add oauth handler - [`b98d907`](https://github.com/hoppscotch/hoppscotch/commit/b98d9074bbefc760988cda8f4a4ea979cc991d02) fix token placement - [`2e7e40c`](https://github.com/hoppscotch/hoppscotch/commit/2e7e40c4cc30de890b898c19b3975b55c27d027a) display error & disable input based on user input - [`83a20bd`](https://github.com/hoppscotch/hoppscotch/commit/83a20bd7de1b0696985b1a69dce1563571400b13) implement oidc discovery - [`2a818dc`](https://github.com/hoppscotch/hoppscotch/commit/2a818dc81d4cdf7833770a4de8c5f8b6641c2f29) comment correction - [`df48e85`](https://github.com/hoppscotch/hoppscotch/commit/df48e85de52d94b1c4fa7914572c87e802d37afa) added token managements - [`f847cbe`](https://github.com/hoppscotch/hoppscotch/commit/f847cbe122aef342c7f22f8d7211ffb9f47b78c4) Added token management - [`161c0b7`](https://github.com/hoppscotch/hoppscotch/commit/161c0b7b88da2347fea0f5a70db4977b8ecc34e9) added token request management - [`9d56af4`](https://github.com/hoppscotch/hoppscotch/commit/9d56af4160399167dde9bba63261d3b2dfa68e98) Merge branch 'master' into feature/oauth-support ### 📊 Changes **6 files changed** (+764 additions, -8 deletions) <details> <summary>View changed files</summary> ➕ `assets/js/oauth.js` (+175 -0) 📝 `lang/en-US.js` (+21 -1) 📝 `package-lock.json` (+1 -1) 📝 `pages/index.vue` (+531 -6) 📝 `store/mutations.js` (+24 -0) 📝 `store/state.js` (+12 -0) </details> ### 📄 Description This PR adds OAuth2.0/OIDC Access Token retrieval function to Postwoman 🎉 ### Main Feature With this feature, OAuth 2.0 access token can be retrieved directly from inside Postwoman. Since Postwoman is a web-based SPA, it have no way to hide client secret used in the normal OAuth 2.0 flows. Therefore, only **Authorization Code Flow + PKCE** is implemented. ### Additional Features - [x] Automatic configuration using OpenID Connect Discovery endpoint ( Configure endpoints automatically! ) - [x] Access Tokens Management ( Save, reuse, and delete multiple access tokens ) - [x] Token Request Management ( Save, reuse and delete multiple authorization endpoints configuration ) ### Screenshots 1. Main UI ![oauth](https://user-images.githubusercontent.com/44827833/71900904-19785180-31a2-11ea-9fc8-d893f654a0cf.png) 2. Access Token Management UI ![token-management](https://user-images.githubusercontent.com/44827833/71900991-4dec0d80-31a2-11ea-8108-b7c763156d8c.png) 3. Token Request Management UI ![token-req-management](https://user-images.githubusercontent.com/44827833/71901028-5cd2c000-31a2-11ea-99ab-c6a70c390263.png) ### Limitations - Users can only use OAuth Service Providers that provide PKCE support for client authentication. - Users have to register [Postwoman](https://postwoman.io) as callback URL and trusted/allowed origin (CORS) in the OAuth application and Service Providers' settings. There should be room for improvements but for the time being, I think the core functions here should works ( tested with Okta and Auth0 as Service Providers ). Feel free to suggest and improve 👨‍💻 👩‍💻 🚀 fixes #337 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>