Access Control Tokens with Postman

You can use Postman to get a JWT Token from the IdentityServer, and use that in a subsequent request to your local Vonk instance.

  1. Make sure IdentityServer is running (see Set up an Identity Provider), I assume at http://localhost:5100

  2. Open Postman Settings (menu: File | Settings) and turn ssl certificate validation off, otherwise your self-signed certificate will not be accepted.

    ../../_images/ac_postman_certificateverificationoff.png
  3. Open a request in Postman, let’s say GET /Patient

  4. Verify that you get a 401 (smile)

  5. Go to the Headers tab and make sure there is no Authorization header (if there is, it might have an outdated token, and you don’t want that)

  6. Go to the Authorization tab, that looks like this:

    ../../_images/ac_postman_auth_tab.png
  7. In the ‘Type’ dropdown choose OAuth2 (SMART uses OpenIdConnect, which is a specialization of OAuth2)

  8. In the ‘Add authorization data to’ dropdown choose ‘Request headers’ (probably preselected)

  9. Click Get New Access Token, and in the popup window fill in the blanks:

    ../../_images/ac_postman_request_token_https.png
  10. You can alter the values in ‘Scope’ to get other claims in the token.

  11. Click Request Token and you’ll be presented with the login screen of IdentityServer:

    ../../_images/ac_postman_login.png
  12. Log in as Bob or Alice and you’ll be presented with the grant screen of IdentityServer. It will ask you whether Postman may have the claims you requested in the ‘Scope’ field.

    ../../_images/ac_postman_grant.png
  13. Click ‘Allow’ and you return to Postman with the newly retrieved token:

    ../../_images/ac_postman_managetokens.png
  14. You can copy the value of the access token and paste it into JWT.io. It will show you the contents of the token.

  15. Scroll down and click ‘Use Token’:

    ../../_images/ac_postman_usetoken.png
  16. The token will be added as Authorization header to the request.

  17. Issue the original request again. Provided there is a Patient with the identifier of Bob or Alice (or whomever you chose), it will be in the search results.