Manually Configuring Postman Login for Dynamic Tokens

This topic describes how to configure dynamic authentication manually if auto-configuration fails for a Postman scan. Dynamic authentication uses dynamic tokens.

What are Dynamic Tokens?

Dynamic tokens are authentication tokens that are generated by software and are unique for each instance of authentication. Tokens can be created for a short period of time, and each instance is renewed individually.

Before You Begin

You must know the following to configure manual login:

The type of authentication used in your application (such as Bearer, API key, OAuth1.0, OAuth 2.0, Cookie)
How to create regular expression search arguments

Process Overview

The process to manually configure login is described in the following table.

Stage	Description
1.	Identify and isolate the login request or requests in a separate Postman collection. For more information, see Identifying and Isolating the Login Request.
2.	Create a logout condition regular expression. For more information, see Creating a Logout Condition with Regular Expressions.
3.	Create a response state rule. For more information, see: Creating a Response State Rule for a Bearer Token Creating a Response State Rule for an API Key Note: A response state rule is not needed for cookie session management.

Stage

Description

Identify and isolate the login request or requests in a separate Postman collection. For more information, see Identifying and Isolating the Login Request.

Create a logout condition regular expression. For more information, see Creating a Logout Condition with Regular Expressions.

Create a response state rule. For more information, see:

Creating a Response State Rule for a Bearer Token
Creating a Response State Rule for an API Key

Note: A response state rule is not needed for cookie session management.

Identifying and Isolating the Login Request

To identify and isolate the login request:

Examine the Postman collection contents to identify the login request.

Tip: Typically, the login request is the first request in the Postman collection that obtains an authentication token. However, authentication could involve several requests.
Copy this request or multiple requests.
Paste the request(s) in a separate file.
Save the file as a Postman collection.

Creating a Logout Condition with Regular Expressions

To create a logout condition:

Find several requests that require authentication.
Do one of the following:
- For a bearer token, replace the auth token with an incorrect value and send it to the application.
- For an API key, send an incorrect APIKey value to the application.
Use the reply from these requests to create a regular expression that matches these responses and does not match a valid session.

For example, if you see the word “unauthorized” in most cases, then it is the best word to use in the regular expression, such as:

[STATUSCODE]200 AND [BODY]unauthorized

If an incorrect APIKey value gets a reply of “{"status": "Access Deny"}”, then the best regular expression would be:

[BODY]Access\sDeny

Creating a Response State Rule for a Bearer Token

To create a response state rule for a bearer token, you must create two regular expressions.

The first regular expression searches all responses for an authentication token update. Typically, this token will be in response to the login request that was identified in Stage 1 of the process.

For example, in the following response, we see a reference to "token."

"{"success":true,"message":"Authentication 
   successful!","token":"eyJhbGciOiJIUzI1NiIs
   InR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluI
   iwiaWF0IjoxNTg1NzQzNzkzLCJleHAiOjE1ODU3NDc
   zOTN9.i8uXa20JQt00tlOjd1twRD76jTnsG-0xiU97
   QWy6jkg"}"

For this response, we can create the following regular expression:

"token":"(?<Token>[-a-zA-Z0-9._~+/]+?=*)"}$

In this regular expression, the (?<Token>[-a-zA-Z0-9._~+/]+?=*) identifies the value of the token.

Note: XML uses character escaping. When you use regular expressions that include < and > symbols in XML format, the < symbol escapes with < and the > symbol escapes with >.

The second regular expression indicates where to store this token. For a bearer token, it will be in the “Authorization: Bearer ….” header.

The following is an example for a bearer token:

Authorization:\sBearer\s(?<Token>[^\r\n]*)\r\n

In this second regular expression, the (?<Token>[^\r\n]*) identifies the value that should be replaced with the value from the first regular expression.

Creating a Response State Rule for an API Key

To create a response state rule for an API key, you must create two regular expressions.

The first regular expression searches all responses for an authentication token update. Typically, this token will be in response to the login request that was identified in Stage 1 of the process.

For example, assume that you have a header API key type of auth. A request sends the username and password to the path “/Login” and returns a response similar to the following:

"{"success":true,"APIToken":
   "tp8989ieupgrjynsfbnfgh9ysdopfghsprohjo"}"

All protected requests send an “APIKey: ….” header to authorize access.

For this response, we can create the following regular expression:

"APIToken":"(?<APIToken>[a-zA-Z0-9]+?)"}$

Note: XML uses character escaping. When you use regular expressions that include < and > symbols in XML format, the < symbol escapes with < and the > symbol escapes with >.

The second regular expression indicates where to store this token. For an APIKey, it could be a custom header name and value or a custom query parameter name and value.

APIKey:\s(?<APIToken>[^\r\n]*)\r\n