Auth: OAuth 2.0

[helloanoop]

Parent Issue: #119

Latest Update: 28 Nov 2024 See #1003 (comment)

Support OAuth 2.0

Related Issues

1. Issues Related to current oauth flow

• OAUTH2 auth is successful but token endpoint is returned instead of api endpoint #1999
• OAuth 2.0 usage #2666
• OAuth2 auth flows : automatize the Get Access Token step #3272
• Running a request with OAuth2 configured show the result of the OAuth2 request instead of the result of the request itself #3360
• Oauth 2.0 flow on collection #2980
• requests still refreshes oauth2 token instead of using the token and sending request #3500

2. Issues related to client credentials

• OAuth 2.0 with Client Credentials not working #3021
• OAuth 2.0 Client Credentials Basic Auth #2106
• OAuth 2.0 - Client Credentials - Support additional fields for token requests #2002
• OAuth 2.0 client credentials using collection variables error "'send-collection-oauth2-request': AggregateError" #3202

3. Other related issues:

• Oauth2: Supported at the request level, but not at the collection level #1704
• Support for Custom Headers in OAuth 2.0 Authorization Code Flow #1785
• Changing grant type erases saved inputs #1826
• More responsive Input fields  #2723
• OAuth2: Implement OAuth 2.0 Implicit Grant #2056
• OAuth 2.0 Grant Type Authorization Code Get Access Token problem #1901
• Enable to define Auth at intermediary level in the collection tree #3315
• Use system browser for OAuth authentification #2650
• Show all requests performed for OAuth 2.0 login #3470
• OAuth 2.0 - Client credentials always returning "'undefined' is not valid JSON" #2452
• API / Collection Authorization #119
• Client Certificates not used on Auth when getting Access Token #3342
• Using authorization token issue #2922

[fuxx]

Really important feature <3

[and-rose]

So far this is the only thing keeping me attached to Postman. Really keen to see this implemented.

[rjhofstee]

We would love to move to Bruno as well, but since we are requiring grant_type=authorization_code we can't yet. Is there maybe a progress update on this feature? 🙌

[tsteckenborn]

Dependend on what you need you might want to check this as a workaround for e.g. the Client Credentials flow.

@Rens660 - I've got quite a similar one for Authorization Code. You'll need to do one manual step in the browser, but atleast it returns e.g. the corresponding link as part of an error message. Would you be interested in that?

[rjhofstee]

Hi @tsteckenborn,
Unfortunately I am stuck with using Authorization Code, but if you would share your workaround for if, I am definitely interested, thanks!

[helloanoop]

I will be building OAuth 2.0 functionality in this upcoming live coding stream with Hussain on Dec 16th
https://www.youtube.com/watch?v=ZtNGbglTjps

[tsteckenborn]

Hi @tsteckenborn, Unfortunately I am stuck with using Authorization Code, but if you would share your workaround for if, I am definitely interested, thanks!

Take a look if that helps to ease the usage

[42shadow42]

Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.

[mjschlosser8]

Can't wait for this!

[andifalk]

Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.

FYI: Implicit flow is deprecated, should not be used any more (replaced by Authorization code + PKCE)

[42shadow42]

Pretty much the only thing tying me to insomnia. We use the implicit flow on our end.

FYI: Implicit flow is deprecated, should not be used any more (replaced by Authorization code + PKCE)

Thanks for the heads up, though I don't see Authorization code + PKCE supported here yet either. I'll have to check to see if we have migration plans from Implicit flow.

[billbrinck]

Is there any progress on the OAuth2 support?

[fuxx]

Is there any progress on the OAuth2 support?

@helloanoop can you give any news on your progress or estimation when you continue on OAuth 2 support? The past weeks were very quiet around OAuth 2 😢

[helloanoop]

@fuxx

Thanks for your patience.

I was a bit tied up in working on the lang improvements that will be needed to unblock some other features in the pipeline. Given the immense pain point and upvotes on this feature, I will spend some time on this week on this ticket and will share some updates towards the end of this week.

[fuxx]

Hej @helloanoop :)

Some weeks passed by and i guess the implementation could be more complicated then expected. Have you gained more insights on how you can proceed?

[helloanoop]

Hey @fuxx Appreciate your patience.

A big blocker was the Bru Lang design which I wanted to complete. This was very important to ensure that we have a way forward to introduce more features in the future and seamlessly allow folks to migrate to the new format (expected to be available by end of Feb)

Now there are two things in my pipeline

1. File Uploads - expected to be launched this week
2. OAuth 2.0 - expected to launched by next week

I am not touching any other feature (except critical bugs) unless above 2 are launched.

[glitchracer]

Any news about OAuth 2.0 support?

[helloanoop]

We're on the verge of completing OAuth2 integration, just polishing up the last details.
Set to release tomorrow.

[kkevindev]

@helloanoop would it be possible for the Oauth2 implementation in Bruno to send extra headers/body request parameters. For example: we use Auth0 and we require a "organisation" request parameter to be send to the Oauth2 authentication endpoint. Currently, there is no functionality to send anything extra with the request.

[pascalknupper]

Is there any update on this topic, can´t wait to see OAuth 2 auth flow without scripting in Bruno 🙂

[StefanTUI]

Bruno is great! And I'd also love to see the OAuth2 auth flow (grant type client credentials) completed, so I fully recommend it everywhere I can :-)

[helloanoop]

Hey everyone,

Thanks for all the feedback around improvements on the OAuth2 implementation. We know this has been on the wishlist for a while, and we’re finally diving into a full revamp of the OAuth2 flow. We’re aiming to wrap this up by end of December and will keep you posted here as we make progress.

As part of this process, we’re forming a cohort to better understand how you use OAuth2 in Bruno and gather insights into your expectations. If you’d like to join, please fill out this form: https://forms.gle/gicLNdt5F1XD1MBq7
In the discussions, we'd like to know and understand

• How you’re currently using OAuth2 in Bruno.
• Any challenges or limitations you’ve faced with the current implementation.
• Features or improvements you’d like to see in the revamped version.

We are also reviewing the PRs - #2164, #2077, #2058 as a part of this effort.

Thanks,
Bruno Team

[JoniJnm]

How can I fill out the form?

I only wanted to say: I don't know if it's possible, but I would like to be able to open an external browser (instead of in-app) during the oauth2 authorization_code to use the local cookies and do not need to login every time in the external provider. Thanks.

[helloanoop]

There was a permission issue in the cohort participation form. This has been fixed now.

[tygore587]

How can I fill out the form?

I only wanted to say: I don't know if it's possible, but I would like to be able to open an external browser (instead of in-app) during the oauth2 authorization_code to use the local cookies and do not need to login every time in the external provider. Thanks.

Also a +1. We need to login with a device id in entra id. This device id is only send by edge or chrome with an extension and for this we need to login via an external browser.

Also it would be nice to do the authentication in the collection (like in postman). So i don't need to have 1 request that you need to run before you can run any other request in the collection. This is hard to understand for my team and it's the only reason nobody in my team uses the authentication with oauth2 in Bruno. Setting up oauth2 in the collection and running the auth request there is known to everybody and easier to understand for everyone.

[JoniJnm]

I created this ticket: #3584

[caviyacht]

I hope this comes out soon, I want to use Bruno (looks amazing) but am 100% reliant on the implicit grant flow. Any update as we're now in January?

[shonigbaum]

When is the OAuth 2.0 coming? Still getting a "invalid request" message when trying it:

[bigsing]

@shonigbaum Per the Bruno Discord posted on 1/28:

Some polish is pending.
Here is a experimental build if you want to play around https://github.com/usebruno/bruno-experimental-builds/releases/tag/oauth2-revamp-v1.39.0-2025.1.24

Core functionality is done. We need to provide a setting to automatically fetch the token.
Let us know if you encounter any issues in the above build and if you have feedback on what else needs to be improved.

hoping to put out a public beta during feb first week and then release it live on feb 3rd week.

[abieler-sap]

I tried the experimental build and got an error fetching a token. Is there a possibility to analyze what went wrong?
Is there a plan to add the token request also to the timeline, so a user can see what's happening in the token request?