How to pass access token url in authentication flow oauth2 with curl ?

[dashandwerk]

Select Topic Area

Question

Body

Hi,
i follow the authentication flow with oauth2.0.
As in postman i can enter the
AUTH URL to start the process with a webpage and then authenticate on this external webpage with username and password.
I set the ACCESS TOKEN URL to my url which gets the code of the first step and receive a token.

Now i want to repeat this flow with curl, not in postman.

a) start AUTH URL to the external webpage and generate the code.
Which parameters must be set to handle later ACCESS TOKEN URL ?

b) This first section generates the code which i need for step c)

c) step b) must now use my ACCESS TOKEN URL and send the parameter code to receive then an new BEARER ACCESS TOKEN.

I have seen the console log, but i have never found my individual ACCESS TOKEN URL in this process, but with postman it works. I can get a BEARER TOKEN.

[ThisaraJayas]

curl -X GET "AUTH_URL?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=SCOPE"

[MdRashid62]

To pass an access token in an OAuth2 authentication flow with curl, you'll generally follow these steps:

1. Obtain the Access Token: First, you need to authenticate with your OAuth2 provider (typically using client credentials, authorization code, or another grant type) to get the access token.

2. Pass the Token in the Request: After receiving the access token, use it as a Bearer token in the Authorization header to authenticate subsequent requests.

Step 1: Get the Access Token
curl -X POST "https://oauth.example.com/token"
-d "grant_type=client_credentials"
-d "client_id=YOUR_CLIENT_ID"
-d "client_secret=YOUR_CLIENT_SECRET"

This should return a JSON response with the access token:
{
"access_token": "YOUR_ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 3600
}

Step 2: Use the Access Token in Requests
curl -X GET "https://api.example.com/endpoint"
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Replace "YOUR_ACCESS_TOKEN" with the actual token from the response in Step 1.

[HIMANSHUTHAKUR00]

Same question

[Gecko51]

The piece that usually trips people up here is that step (a), the AUTH URL, isn't really a curl step. It's a browser step. The authorization endpoint redirects the user to a login page (and possibly an MFA challenge, a consent screen, etc.), which curl can't render or interact with.

The typical OAuth2 authorization code flow looks like this:

1. Open the AUTH URL in a browser, not curl:

https://auth.example.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://your-app.example.com/callback&scope=read&state=xyz123

2. After you log in and approve, the provider redirects to your redirect_uri with ?code=THE_CODE&state=xyz123 in the URL. Grab that code value from the redirect.

3. Now you can use curl. POST the code to the ACCESS TOKEN URL to exchange it for a bearer token:

curl -X POST "https://auth.example.com/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=THE_CODE_FROM_STEP_2" \
  -d "redirect_uri=https://your-app.example.com/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"

The reason Postman "just works" is that it embeds a browser window for step 1, then silently does the POST in step 3 for you. You don't see the ACCESS TOKEN URL being called because Postman is doing it in the background after you close the login popup.

4. Use the token:

curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" https://api.example.com/whatever

A couple of things worth checking:

• redirect_uri must match exactly what's registered on the OAuth app, including trailing slash and protocol.
• If the provider supports PKCE (and most do now), you'll also need code_verifier and code_challenge parameters. Add -d "code_verifier=..." in the token request.
• If you don't actually need a user context, skip the whole authorization code dance and use grant_type=client_credentials instead. That one is fully curl-able with no browser involved.

If you're trying to fully script this without a browser (headless), you'd need to script the login POST to the provider's login form, which is provider-specific and usually brittle. A headless browser (Playwright, Puppeteer) is a cleaner path for that.

What OAuth provider is this against? If it's a specific one I can point you at the exact endpoint shape.