Sharing auth method

[Bogidon]

Describe the solution you'd like

1. An way to easily share an oauth provider as the auth mechanism for a bunch of different endpoints, or an entire environment.
2. Would also love it if the auth cookie is held on to so a new token can be issued without another login.

Describe alternatives you've considered
Currently I have one endpoint that has the auth mechanism (OAuth 2) set up. I copy the returned bearer token into the environment config. When the token expires in 2 hours, we have to do the whole process again, including logging into our auth provider. Many of my coworkers consider this too cumbersome to want to use Insomnia.

Additional context
I think if Insomnia had an easy way to do this, we'd have had a few monthly licenses by now.

[nijikokun]

Welcome @Bogidon 👋

Oh, I see, something like a shared authentication store that you could reference on requests? Seems like a really good idea actually. I'm wondering if it could be used more than just authentication.

@gschier is there anything like this in the app currently?

[gschier]

There was a discussion a long time ago under the feature "Parent Requests" but it was abandoned for various reasons: #598

For OAuth 2.0, specifically, someone has created a plugin that allows referencing the Access Token from a different request. That way you only have to define the information once. This should solve your immediate problem of manually copying the token into the environment:

https://insomnia.rest/plugins/insomnia-plugin-accesstoken

In general, I like the idea of being able to reference parts of other requests. I think this provides the most flexibility while not overcomplicating the existing UI/UX.

[Bogidon]

👋

In general +1 to referencing parts of other requests. Though, to me the clearest way for auth to work would be if you can declare an auth strategy that can be applied to multiple requests, that would internally only rerun as necessary. That would remove the "oh you have to run this special request first".

Thanks for the plugin. I tried a different one a while ago that I couldn't get working, so I'll give this one a shot.

[Bogidon]

@gschier @nijikokun ping that we'd likely pay for Insomnia were this implemented.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dmythro]

Would be really cool to be able to copy-paste Auth from one endpoint to others.

For example, I setup Auth as Bearer and specify token to be used from response body of another endpoint. Now I can copy-paste token value, but still have to choose Auth -> Bearer, and then paste token value. What would make it simpler is to copy whole Auth settings, and then paste them to another endpoints with some hotkey/context menus.

Or better — to link Auth to one of endpoints, so it can be updated later in a single place. Maybe mark endpoint with "auth" label then for visual distinction etc.

Postman for example can inherit Auth.

[ractive]

After starting with insomnia, I was very happy to see the OAuth2 authentication working with our internal OAuth2 provider - even the authorization code flow works 🎉 .
But then I was realizing quickly that you need to copy/paste all properties of the auth setup (authorization URL, access token URL, client id, client secret etc.) to all the reqests, which is quite tedious. It would be great if you could create your own OAuth2 providers by configuring the auth URL, token URL etc. and if you could just choose this auth provider for a request.

Not sure though how to pair this with the different environments. We have one OAuth2 provider per environment (staging, production) and this should be switched also when changing the environment.

[hades200082]

This is the main thing preventing us from switching from Postman.

[subnetmarco]

Hello,

We will look into folder-level authentications, global environments immediately after the release of v9.0 at the end of the month. These capabilities are top of mind.

[mcquiggd]

@subnetmarco Excellent news!

[jackkav]

Aiming to deliver this in #7353

[bcowdery]

A potential workaround here (for Auth0 at least), is to make a Token Refresh request to /oauth/token and capture the response. You can then use normal request chaining to grab the access token from your auth request.

It's gnarly, and not my favorite solution as it results in a token refresh immediately after login, but it does work.

Configure OAuth2 authentication on this one request like you normally would. Insomnia will kick off the OAuth2 workflow as normal, log you in, fetch the tokens, and then initiate the token refresh giving you a JSON response payload that you can chain forward.

Access token request:
POST {{_.Auth.Audience}}/oauth/token

{
  "grant_type": "refresh_token",
  "client_id": "{{ _.Auth.ClientId }}",  
  "refresh_token": "{% request 'oauth2-refresh', '', 0 %}"
}

Example response:

{
	"access_token": "ey...",
	"refresh_token": "v1...",
	"id_token": "ey...",
	"scope": "openid profile email offline_access",
	"expires_in": 900,
	"token_type": "Bearer"
}

Subsequent request chaining would use Bearer Auth using the response body attribute, something like:

• Token: Bearer {% response 'body', 'req_deadbeef', '$.access_token', 'when-expired', 3600 %}

[subnetmarco]

We have shipped folder-level authentication, and pre-request and after-response scripting capabilities in Insomnia 9.x, which should allow us to solve for this use-case by creating a folder with the desired authentication mechanism for all the requests that are placed within.

[SoftwareTesterMM]

Hi, I have the same problem when I use oauth2 in a parent folder. In the beginning it worked, but at some point the inheritance no longer works and you can see in the timeline that the authorization or the bearer is no longer set (settings are okay and not changed). I could not find out what exactly caused it to no longer be inherited. (If I duplicate the same request, then it takes effect again for a certain time).
Furthermore, the refresh token request does not work, but unfortunately you cannot see the request and it is not logged.

[WangBian]

@subnetmarco Yes, I have it set to Inherit.

[jackkav]

we have a test collection for oauth2 inheritance at packages/insomnia-smoke-test/fixtures/oauth.yaml perhaps you could compare it to yours and let us know what differences there are so we can improve our tests

[WangBian]

@jackkav The only difference I can tell is that you another folder under the root folder and the request is in the secondary folder. Mine collection does not have a secondary folder like yours

[jackkav]

I think we need to extend our tests to include only one folder then. Thanks for the report.

[iansall]

I'm seeing the same issue (with my requests under a top-level folder):
Adding a new request in the folder picks up the parents' folder access token. When I switch environments with different credentials, the request continues to use the old access token, even if I regenerate it.
My "solution" right now is to duplicate the problematic request in the same folder - it then runs as expected, picking up the correct access token.

[costyn]

Can confirm. Also ran into this bug today. It's tricky, because it does send a token, it's just an ID token instead of the Access token, even if you select 'Access token' only in the OAuth2 response type.

I guess it's the same/related bug as this one: #7880 ?

[subnetmarco]

@jackkav @gatzjames

[Synthian]

I'm experiencing similar issues on 10.1.0:

My requests that inherit OAuth2 seem to grab the first token and hold onto it forever. Changing environments, clearing the parent's tokens, etc. have no effect. Duplicating the request within the folder does work to pick up the new token, but it ultimately defeats the purpose of this feature.