In my post yesterday on Securing a Web API, I asked how might I test my API after securing it, since I didn’t have a client app created yet.
Of course, there is a way using Postman.
I’ve mentioned previously how to use the “run now” policy feature to test your policy and review your tokens. That previous blog post used a web application. Today’s blog posts uses a native app as the selected application.
Go to your B2C_1_SiUpIn policy:
- Under Select application, chose Hello API WPF App.
- Under Select reply url, choose the
- Expand Access Tokens and under Select resource, select Hello API (or whateer name you gave your API from yesterday’s blog post). Make sure all the scopes are selected.
Here’s what my Run Policy Settings look like.
Click Run now. You’ll see a new browser tab appear. Copy the resulting URL and open up your favorite flavor of notepad.
Make sure you only copy the access token and none of the other parameters that come after the access_token. This had me scratching my head for a good half-hour.
Open up https://jwt.ms and paste in the access token to confirm it all looks good and contains the claims you’re Hello API is expecting, e.g. “read”
Next, fire up Postman. Also, make sure your Hello API project is running 🙂
I’m still new to Postman, so YMMV. If you have a different way of using Postman for this scenario, please let me know!
- Choose GET and insert the URL for your Hello API /hello endpoint.
- Under Headers, type in Authorization
- For its value, type in
Bearerthen the access token.
And if all is setup correctly, you’ll get the expected response!
I’m still working on a blog post on how to debug all these steps for creating a client application and an API for use with B2C. Stay tuned!