Testing your ASP.NET Core WebApi secured with IdentityServer4 in Postman

Jorge Cotillo
Jun 23, 2017 · 3 min read

A few days ago I’ve been asked to provide a sample on how to test your WebApi that is secured with OpenId Connect — IdentityServer4 in this case— using Postman.

In this Post I’ll demonstrate the steps required for you to test your WebApi without removing [Authorize] when testing locally.

#1 Client configuration

I will start by assuming that you already have your IdentityServer4 already configured and is up and running, if not then you can refer to my previous post that explains how to setup your Application with IdentityServer4.

Fig 1. IdentityServer4 Cient Configuration — Notice RedirectUris, PostLogoutRedirectUris and AllowedCorsOrigins

#2 Resource configuration

In this step you simply need to add an API name to GetApiResources from Config.cs (located in your IdentityServer4 application).

Fig 2. New ApiResource added

#3 Configure your WebApi

To configure your WebApi all you have to do is the following:

  1. Install-Package IdentityServer4.AccessTokenValidation
  2. Add UseIdentityServerAuthentication middleware to your Startup.cs — Configure method — before .UseMvc middleware (important).
  3. Make sure your ApiName matches the Api name from #2
Fig 3. Startup WebApi Configuration

#4 Postman configuration

Now, open up postman and do the following:

  1. Enter your URL, i.e. http://localhost:5010/api/values
  2. Under Type, there is a dropdown, select OAuth2
Fig 4. Authorization type = OAuth2

3. After selecting it, you’ll notice a button that says Get Access Token, click on it and enter the following information (make sure to update localhost with your IdentityServer4 application and ClientId with your own ClientId from #1):

Fig 5. Postman settings — replace localhost with your IdentityServer4 URL

After you entered all these values, click on Request Token, you’ll see a new token added with the name of “Token Name”

Finally, make sure you add the token to the header (look at the image below) then click on Use Token. To invoke the service simply click on Send (blue button), if the token is valid then you’ll see a successful response.

Fig 6. Successful response — notice Add token to says Header, don’t forget to click Use Token and finally Send

And that’s it, now you can test your WebApi using Postman and passing the proper Access Token.

Because I always like to provide full working examples and this post would not be the exception, please refer to my github repo: https://github.com/jorgecotillo/aspnet_core_identity_server_4_postman that contains a WebApi and IdentityServer4 Quickstart— use username: alice and password: password.

Note: For some reason when I tried to debug both applications (Startup multiple projects) my WebApi didn’t work, I had to start the WebApi alone— in Visual Studio 2017 Community Edition — In order to make it to work, make sure the Debug properties says: Profile -> postman_identity_server_4_aspnetcore and Launch -> Project (you can get to the debug properties by right clicking on postman_identity_server_4_aspnetcore project then click on Properties, finally click Debug from the left. Interesting fact!! I had no issues when using Visual Studio Code …

Happy Coding!

Jorge Cotillo

Written by

Senior Software Developer at Microsoft. Designing CI/CD for Infra as Code, focused on automating Governance and Provisioning of your different Azure resources.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade