How to authenticate and query edX APIs with Postman
(this article originally by @Nathan Sprenkle and @Zach Hancock in the 2U space)
Note: although this article is Postman specific, many of the techniques can probably be adapted for other API query tools.
Working on a recent API development project, I found myself needing a tool for robustly exercising an API. Postman is a super helpful tool for doing just that, but there was nothing in our docs (that I could find) about working with logon sessions and auth-related stuff, in particular. Here’s a quick how-to on authenticating with Postman and hitting APIs.
First things first: go to the Postman downloads page to download/install Postman.
Scripted processes:
Download Postman
Run Login collection scripts or obtain API JWT
Manual process:
Download Postman
Steal some cookies
CSRF token setup
Profit!
Scripted Process
I got annoyed by having to do the manual process each time so I borrowed an approach from this Medium post and adapted for LMS. I’m attaching the collection here so you too can log in from Postman.
Download my collection of scripts for LMS
Update environment variables
Run the GET Login script
Run the POST Login script
You’re authenticated!
Download LMS collection
Here is the LMS Postman collection. Download it then follow Postman instructions for importing a collection.
Update environment variables
To avoid hard-coding everything, the collection expects a few variables to be set before running. See Postman instructions for setting variables to set the following:
lms_url
- For Devstack this islocalhost:18000
protocol
- Eitherhttp
orhttps
, depending on if you’re testing with HTTPS or notuser_email
- The user you’re going to log in as, e.g.staff@example.com
user_password
- The user’s password, e.g.edx
Run the GET Login script
This gets the login form you would normally see logging on to the LMS. Importantly, the test scripts in this call extract the CSRF token and save it in an environment variable (csrftoken
) for later use.
Run the POST Login script
This logs in as the user specified by user_email
and user_password
You’re Authenticated!
To connect CSRF token to requests add the CSRF token header to requests. Re-run the GET
/POST
scripts if the token times out or you log out.
X-CSRFToken
: {{csrftoken}}
Scripted Process with OAuth Client
This is a similar approach to the scripted process above but by authenticating an an OAuth application we can avoid the need to deal with CSRF tokens and cookies. I find this simpler to manage.
Create an OAuth application
Create a new application at: http://localhost:18000/admin/oauth2_provider/application/
user the user you want to authenticate as
client type
confidential
Authorization grant type
client credentials
name whatever you want, you will need this to more easily find your record again in django admin
keep track of your client id in secret, we’ll need these later
Update environment variables
To avoid hard-coding everything, the collection below expects a few variables to be set before running. See Postman instructions for setting variables to set the following:
LMS_BASE
- For Devstack this islocalhost:18000
API_CLIENT_ID
- client id from the application you created aboveAPI_CLIENT_SECRET
- client secret from the application you created above
Obtain a JWT token
POST to the /oauth2/access_token/
endpoint using your client_id and secret.
This is configured for you as the Access Token endpoint in the collection shared below
You’re Authenticated!
Future requests simply need an Authorization: JWT {{YOUR_TOKEN}}
in the header. Each of the requests in the collection shared below include this.
My postman collection
Manual Process
A higher-effort approach, but one that explains how cookie auth and CSRF work with edx-platform
and how to borrow an active login session.
Steal some cookies
The tricky bit about querying anything tied to edx-platform
is auth. To become the hackerman authenticate, we’re gonna need some cookies. Specifically, to masquerade as a logged in user, we need to capture an active session cookie. There are a few ways to do this which Postman documents here. I use the Postman interceptor approach but could also be done with the Postman Proxy or vanilla browser tools. I like the interceptor because it loads cookies right into the app so there’s no copy/paste, etc.
The punch line: capture an cookie for your active user, should look something like the below:
csrftoken=<csrf-jibberish>;
edx-jwt-cookie-header-payload=<jwt-thingy>;
edx-jwt-cookie-signature=<signature>;
edx-user-info=<json-blob>;
edxloggedin=<true/false>;
experiments_is_enterprise=<true/false>;
lms_sessionid=<session-jibberish>;
openedx-language-preference=<en/more-exciting-language-code>
CSRF token setup
Cookie thief! The council of cookie protectors will have your head for this. It’s okay, I won’t rat you out.
Moving on, even though the CSRF token is in the cookie, LMS expects it in a header. Grumble, grumble, brevity being the soul of wit or whatever…
In Postman, go to the Headers tab of the request. Add a new header called X-CSRFToken
. Copy and paste the value from the csrftoken
in the cookie into the value for the header. It should look something like the below:
Profit!
You did it! Make some queries with your sweet new authenticated self!