I normally run tests using client_credentials flow, but I have a few that require authorization_code. When using authorization_code I turn the PKCE on (without it, I get an error, but I'm not sure if it's due to server setup or something on the client). Anyway, with the oauth2 authorizations_code authorization, the httpyac callback page shows green with the success code received message, but the actual response returns (with sensitive values masked):
{
"error":"invalid_request",
"error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. Trace ID: xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx Correlation ID: xxxxxxx-xxxxxx-xxx-xxxxx-xxxxxx Timestamp: 2025-10-10 16:52:54Z",
"error_codes":[9002327],
"timestamp":"2025-10-10 16:52:54Z",
"trace_id":"xxxxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxxxxxx",
"correlation_id":"xxxxxxxxxxxxx-xxxxxxxx-xxxxx-xxxxxx-xxxxxxxxxxxxxx"
}I googled the error and the suggestion seems to get the Origin header variable set to http://localhost. So, I followed the suggestion at AnWeber/httpyac#738 and added the following script to the file:
{{
exports.oauth2_interceptrequest = function(request, ext) {
request.headers.origin='http://localhost';
}
}}This fixed the issue with the authorization_code flow, but broke all calls that used client_credentials in the same file. I figured a workaround and moved the flow-specific tests to a separate file (so, my tests requiring authorization_code are in a different file from the tests that use client_credentials).
The workaround seems to work, but it would be nice if the origin setting could be added to the authorization variables. That's what Postman does and it makes sense.
I normally run tests using
client_credentialsflow, but I have a few that requireauthorization_code. When usingauthorization_codeI turn the PKCE on (without it, I get an error, but I'm not sure if it's due to server setup or something on the client). Anyway, with theoauth2 authorizations_codeauthorization, the httpyac callback page shows green with thesuccess code receivedmessage, but the actual response returns (with sensitive values masked):{ "error":"invalid_request", "error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. Trace ID: xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx Correlation ID: xxxxxxx-xxxxxx-xxx-xxxxx-xxxxxx Timestamp: 2025-10-10 16:52:54Z", "error_codes":[9002327], "timestamp":"2025-10-10 16:52:54Z", "trace_id":"xxxxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxxxxxx", "correlation_id":"xxxxxxxxxxxxx-xxxxxxxx-xxxxx-xxxxxx-xxxxxxxxxxxxxx" }I googled the error and the suggestion seems to get the
Originheader variable set tohttp://localhost. So, I followed the suggestion at AnWeber/httpyac#738 and added the following script to the file:This fixed the issue with the
authorization_codeflow, but broke all calls that usedclient_credentialsin the same file. I figured a workaround and moved the flow-specific tests to a separate file (so, my tests requiringauthorization_codeare in a different file from the tests that useclient_credentials).The workaround seems to work, but it would be nice if the
originsetting could be added to the authorization variables. That's what Postman does and it makes sense.