403 Response From Adobe Experience Manager OAuth 2 Token Endpoint

I am using Postman to test OAuth 2 from a vanilla AEM install.

Postman can successfully obtain the authorization code from /oauth/authorize after I grant access:

But when it tries to use the code to obtain a token from /oauth/token it receives the following response:

HTTP ERROR: 403 Problem accessing /oauth/token. Reason: Forbidden Powered by Jetty://

Looking in Fiddler it is doing a POST to /oauth/token with the following Name/Values in the body:

client_id: Client ID from /libs/granite/oauth/content/client.html

client_secret: Client Secret from /libs/granite/oauth/content/client.html

redirect_uri: https://www.getpostman.com/oauth2/callback

grant_type: authorization_code

code: Code returned from previous request to oauth/authorize

Am I missing something?

I found the answer myself and thought I'd share the process I went through as well as the answer because it might help other people new to AEM.

How to find the cause of the error:

1. Go to CRXDE Lite.
2. Select console.
3. Then deselect the stop button to allow new console logs to appear (this is very counter-intuitive to me).

From here I was able to see the cause of the issue:

org.apache.sling.security.impl.ReferrerFilter Rejected empty referrer header for POST request to /oauth/token

Because postman does not place a referrer in the request header I had to tell Apache Sling to allow empty request headers.

To do this:

1. Go to /system/console/configMgr
2. Open the Apache Sling Referrer Filter Config
3. Select the Allow Empty check box