Documentation

OAuth 2.0

OAuth 2.0¶

Authentication
OAuth 2.0

What is OAuth 2.0?¶

OAuth 2.0 authorization framework (see OAuth) enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. The OAuth 2 specification (RFC 6749) replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.

Paw natively supports the full OAuth 2 flow via the OAuth 2 Dynamic Value: authorization, token request, and generation of the Authorization header.

Setup OAuth 2.0¶

Find your OAuth 2 credentials

Find your OAuth 2 credentials¶

Your API provider should give you access to your client (app) credentials. Depending on the OAuth 2 grant types supported by the provider, these can consist of:

Client ID: all grant types

Client Secret: Authorization Code, Resource Owner Password Credentials and Client Credentials grant types

Username: Resource Owner Password Credentials grant type only

Password: Resource Owner Password Credentials grant type only

Set the authorization type

Set the authorization type¶

Go to the Auth tab and choose OAuth 2.

Enter your credentials

Enter your credentials¶

You can now setup your credentials (from the above step Find your OAuth 2 credentials) and fill in all the appropriate authorization URLs (once again, this may be different per Grant Type):

Authorization URL: the URL of the web page the OAuth service (aka. provider) would normally bring users so they can authorize the access.
Access Token URL: the URL your server uses to request an access token.
Redirect URL: also known as the Callback URL, it’s the URL you’ve setup in the OAuth provider’s settings. It should be the URL of a web page on your server, where users will be redirected after authorization process. In Paw, that’s optional, as Paw can work without it. You can leave this field blank or enter any valid URL, Paw will intercept the token regardless.

../../_images/oauth2-new-credentials.png

Authorize (get the Access Token)

Authorize (get the Access Token)¶

Now that you’ve setup the OAuth settings, you can manually request an access token, or skip this section and let Paw automatically handle authorization when needed (when sending request, Paw will automatically ask authorization if there is no access token or if it has expired). The calls are always handled by Safari.

In Paw, hit the Get Access Token button from the OAuth2 Dynamic Value.
A web view is shown and you’re prompted (as the end-users would be) to authorize your app to access the provider’s API.
Once done, you’re redirected to the “Callback URL” page (should be a page on the client server). It doesn’t matter if that page is not functional yet. At this step, Paw will be calling the “Access Token URL” to get a token in exchange of the code that has been returned by the OAuth provider.
The Access Token should now appear at the bottom of the window. Hit the Use Access Token button.
Your request is now configured to be using OAuth 2.

Done

Done¶

Paw will add the Authorization header automatically. You can check it in the Headers tab. You’re ready to send the request!

Use Environment Variables¶

orphan:

As you may often switch between development and production environments, or between several users, you may need to have several OAuth credentials you may apply to your Requests. You can keep those credentials in Environments, and then use them in the OAuth Header Dynamic Value.

Read more about Environments and how to use Environments as Reusable Presets.

Examples¶

GitHub API with Paw

Facebook API with Paw

Google APIs with Paw