When i’m building apps that consume APIs (so that’s basically every app i built..) i want to test out these APIs by hand to see how/if they work as intended and what the exact responses are. To do this i love to use the VSCode plugin called “REST Client“. This plugin makes it super easy to test API calls and one of the great benefits is that it stores all the information in plain text files so i can store them together with my code in git.

rest client azure ad oauth

Quite often the APIs i want to test need some for of authentication and OAuth 2 is a very common scenario. Lately i was working with APIs from Azure and the Microsoft Graph API and they are all using OAuth 2 to authorize the requests. OAuth requires you to get a bearer token first which you then pass into the other API calls to do authorized calls. REST Client is able to do this, you just have to know how it’s done and since i couldn’t find it in the docs i decided to blog about it:

So how to get started?

In this example i’ll use a Service Principal with ClientID and ClientSecret to get a bearer token. If you don’t have a Service Principal yet here is a guide on how to create it.

As I wrote before i love the REST Client plugin because it stores all my API calls in code.. however i don’t like secrets stored in git so we’ll first start of by setting some environment variables in VSCode that the REST Client plugin can than use. Open the settings.json file from within VSCode and add a new block here containing the information to get the bearer token such as your tenantID, clientID and ClientSecret in the case of Azure Active Directory.

save the settings.json file. When you open the command palette in VS Code now choose “Rest Client: Switch Environment”. the newly created environment should be there and you’re able to use these environment variables in your API calls.  


1 1

Retrieving a bearer token

Now that we’ve made sure we don’t have to store secrets in our .http files and therefore they don’t end up in git we can start create the API call to get a bearer token. In this example we get a bearer token to access the MS Graph api so we log into our Azure AAD Tenant to get the token. We need to pass in the tenantId on the URL and as form values we have to pass in the clientId, ClientSecret and a scope. (in my case this is https://graph.microsoft.com/.default)

When you execute this call should get a bearer token in response. Hooray! You could ofcourse copy this bearer token into a  variable again and use it this way but what is even nicer is that you can use it directly from the response into next calls. You can do this by adding a name “# @name auth” on top of your API call and if you do that you can reference this request and response in next calls.


Using the Bearer Token

Below is an example of how we use the access token to requests users from Azure Active Directory using the just requested Access Token. by using the variable {{auth.response.body.access_token}} that has the value from “auth” the name of our rest call to retrieve the bearer token and the acces_token from the response body.

As you can see it’s actually quite simple to first get a bearer token and later on use this in your REST Client querying. I use this all the time but it isn’t documented that well so hopefully it can help you in your API consuming/ discovering endeavors.

Happy Coding!

Geert van der Cruijsen