In Kinde, go to Settings > Environment > APIs.
Select Add API.
Give the API a name, and a value for Audience. Note that these values cannot be changed later.
Select Save.
On the API card, select View Details.
Select Applications, then switch on the application you want to associate with this API.
View the details of the application again. Settings > Environment > APIs > View details.
In the Allowed callback URLs section, add the Postman callback URL, https://oauth.pstmn.io/v1/callback as a separate entry on a new line.
Set yourAuth URL as: https://testdomain.kinde.com/oauth2/auth?&prompt=login
testdomain.kinde.comis the domainprompt=loginforces asking for user credentials on every sign in, to disable SSO.
In Token request, set your audience
- set
keyasaudience - set
valueashttps://api.apiaudience.net- the value we added when we created the API (See step 2). - set
send intorequest body
In Postman, create a new request.
Go to the Authorization tab, and complete details as follows:
Grant Type: Authorization Code (With PKCE).- Tick the
Authorize using browsercheckbox. - The
Auth URLshould be the one crafted at step 9. - The
Access Token URLshould behttps://<your_kinde_domain>/oauth/token, e.g.https://testdomain.kinde.com/oauth2/token. - The
Client IDshould be the client ID of the application the API is associated with. In the example above, the Client ID of the Frontend App would be used. - If you want to also get back an ID Token, set the value of
Scopetoopenid. - Set the value of the
Statefield to a random value. - Click
Get New Access Token.
Below are screenshots of the auth flow and the 2 tokens you will be receiving as a result.
The ID token contains the aud claim for 2 audiences, one for the application ID, the other one is for the issuing party.
The Access token contains the audclaim for the requested (intended) audience to authenticate the API. azp claim represents the application client_id you are using to issue the token.
.png)
.png)
.png)
.png)
.png)