Unauthenticated

Discussions related to HTTPAPI (An HTTP Client Package for RPG programming.) http://www.scottklement.com/httpapi/
AS400Guy
Posts: 6
Joined: Mon Sep 25, 2023 10:14 am

Unauthenticated

Post by AS400Guy »

Hi,

I've a similar problem, but this solution didn't help me.

I will try to explain:
With postman this works.
With HTTPAPI I get the error 'Unauthenicated'.

First we have to get a token. Once the token received we have to add it to the header with API Key

I add it to the header with the http_xproc (http_point_addl_header: etc) as proposed in this discussion.

I filled the header with: Authorization: API key xelion 'token' +CRLF.

If I don't fill the header I got the same error, so I'm wondering if the header is correct sent with the POST (via http_stmf)

In the CLLE I use CCSID37.

Please help!

Kind regards,
Guy
Scott Klement
Site Admin
Posts: 702
Joined: Sun Jul 04, 2021 5:12 am

Re: Unauthenticated

Post by Scott Klement »

I moved this to a new thread -- it had nothing to do with the "If-Match" header thread it was posted in.
Scott Klement
Site Admin
Posts: 702
Joined: Sun Jul 04, 2021 5:12 am

Re: Unauthenticated

Post by Scott Klement »

AS400Guy wrote: Mon Sep 25, 2023 10:31 amI will try to explain:
With postman this works.
With HTTPAPI I get the error 'Unauthenicated'.
Please post the raw HTTP input & output from your Postman session, as well as the http_debug log from HTTPAPI. This will allow us to see what you are doing in Postman and HTTPAPI so that we can look for possible problems.
AS400Guy wrote: Mon Sep 25, 2023 10:31 am In the CLLE I use CCSID37.
I don't understand this comment. What on earth does a CCSID used in a separate CL program have to do with this discussion? If you do think it's relevant, then please give more information about what you did with the CCSID in the 37 program.
AS400Guy
Posts: 6
Joined: Mon Sep 25, 2023 10:14 am

Re: Unauthenticated

Post by AS400Guy »

Hello Scott,

To begin with the last remark about the CCSID. I'm sorry, I've written a CLLE which calls the RPG with the HTTPAPI and all other stuff in it.
I therefore have a CHGJOB(CCSID37) in my CLLE because I read somewhere this will be necessary to work nice with API's.

======================================================
Part of the debuglog: (...= personal data)

Protocol Used: TLS Version 1.2
http_persist_req(POST) entered.
http_long_ParseURL(): entered
http_long_ParseURL(): entered
do_oper(POST): entered
There are 1 cookies in the cache
cookie=PHPSESSID not sent (wrong path or domain)
POST /api/v1/.../addressables HTTP/1.1
Host: xelion-17.ictprovider.nl
User-Agent: http-api/1.39
Content-Type: application/json
Content-Length: 76
Authorization: API key xelion 'token'


sendraw(): entered
{
"objectType": "Person",
"commonName": "Test"
}

recvresp(): entered
HTTP/1.1 403
Date: Mon, 25 Sep 2023 12:15:41 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Authorization,Content-Type
Access-Control-Allow-Headers: Authorization,Content-Type
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH
Content-Type: application/json;charset=utf-8
Content-Length: 107
X-Frame-Options: DENY
X-Content-Type-Options: nosniff


SetError() #13: HTTP/1.1 403
recvresp(): end with 403
recvdoc parms: identity 107
header_load_cookies() entered
recvdoc(): entered
SetError() #0:
recvdoc(): Receiving 107 bytes.
{"errorCode":10000,"message":"Unauthenticated","info":"resource\u003dPOST /api/v1/.../addressables"}
SetError() #13: HTTP/1.1 403
http_close(): entered

=====================================================
Postman raw HTTP:
// Request Headers
Content-Type: application/json
Authorization: xelion 'token'
User-Agent: PostmanRuntime/7.33.0
Accept: */*
Postman-Token: 30e59cf3-2b7c-4b86-9e7f-5d8a5b79ba05
Host: xelion-17.ictprovider.nl
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 64

//Response Headers
Date: Mon, 25 Sep 2023 12:21:53 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Authorization,Content-Type
Access-Control-Allow-Headers: Authorization,Content-Type
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,PATCH
Content-Type: application/json;charset=utf-8
Content-Length: 766
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

Type: API key
Key: Authorization
Value: xelion 'Token'
====================================

I hope you have enough information to be able to look at this problem.

Kind regards,
Guy
Scott Klement
Site Admin
Posts: 702
Joined: Sun Jul 04, 2021 5:12 am

Re: Unauthenticated

Post by Scott Klement »

AS400Guy wrote: Mon Sep 25, 2023 12:41 pm To begin with the last remark about the CCSID. I'm sorry, I've written a CLLE which calls the RPG with the HTTPAPI and all other stuff in it.
I therefore have a CHGJOB(CCSID37) in my CLLE because I read somewhere this will be necessary to work nice with API's.
I'll assume you actually mean CHGJOB CCSID(37).

Please don't do that. If the data in your job is known to always be CCSID 37 (but your job CCSID is not already set to 37) then please override the tranlsation settings in HTTPAPI by calling HTTP_setCCSIDs() or http_setOption('local-ccsid'....) Changing the job CCSID will confuse all sorts of things if your job data isn't actually CCSID 37.
AS400Guy wrote: Mon Sep 25, 2023 12:41 pm Authorization: API key xelion 'token'
AS400Guy wrote: Mon Sep 25, 2023 12:41 pm Authorization: xelion 'token'

Notice that HTTPAPI says "API key xelion 'token'" whereas Postman says only "xelion 'token'".

What on earth is "xelion 'token'" and why did you add the words "API key" to the HTTPAPI version? Shouldn't there be an actual token here rather than just the words "xelion token"?
AS400Guy
Posts: 6
Joined: Mon Sep 25, 2023 10:14 am

Re: Unauthenticated

Post by AS400Guy »

Hi Scott,
I Use API key xelion because in another example discussed here 'Bearer token' was used. So I suggested I had to use 'API key'.
xelion + a token is the value I have to use in Postman.

Unfortunately if I only send 'Authorization: ' + the token I get the same error.

Thank you for the tip using setCCSID. I will use that now and in the future.

Kind regards,
Guy
Scott Klement
Site Admin
Posts: 702
Joined: Sun Jul 04, 2021 5:12 am

Re: Unauthenticated

Post by Scott Klement »

The example you provided (Authorization: xelion 'token' ) is obviously changed. The words "xelion token" clearly wouldn't serve to authenticate you... so obviously they aren't the actual thing.

Do you have an example of what a working authentication string looks like? (it can be an expired token so you aren't risking anything.)
AS400Guy
Posts: 6
Joined: Mon Sep 25, 2023 10:14 am

Re: Unauthenticated

Post by AS400Guy »

Hello Scott,

A working token looks like (example of Postman):

Content-Type: application/json
Authorization: xelion 40938a438a479fa277b7f712179fa277b7f7121190c40e1080027d137d73556666e79dbbfdac01f
User-Agent: PostmanRuntime/7.33.0
Accept: */*
Postman-Token: f190fbef-f226-465a-9392-4089786aea8e
Host: xelion-17.ictprovider.nl
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 64
Scott Klement
Site Admin
Posts: 702
Joined: Sun Jul 04, 2021 5:12 am

Re: Unauthenticated

Post by Scott Klement »

Great, so if I understand the situation correctly, this is exactly what you'll need to generate from HTTPAPI:

Code: Select all

Authorization: xelion 40938a438a479fa277b7f712179fa277b7f7121190c40e1080027d137d73556666e79dbbfdac01f
The method you're using (manually adding an authorization header) should work fine for this. It's not clear what is different about the autheotization header you are sending vs the one that you show above. Can you tell me what problem you're having?

In recent versions of HTTPAPI, instead of using an 'additional header' subprocedure, you can also do it by coding the following prior to running the HTTP request.

Code: Select all

// tokenValue should be a character string that contains a value like
//     40938a438a479fa277b7f712179fa277b7f7121190c40e1080027d137d73556666e79dbbfdac01f
http_setAuth( HTTP_AUTH_USRDFN: 'xelion': tokenValue);
I personally find that easier than having to code a procedure, register it with http_xproc, and manually create the header in the procedure -- but... either way should work.
AS400Guy
Posts: 6
Joined: Mon Sep 25, 2023 10:14 am

Re: Unauthenticated

Post by AS400Guy »

Hi Scott,

I've copied this also exactly in my code (so without the words 'API key') and that works! Great!

Problem solved.

Afterwards looking to the original code I have to take the conclusion that only the '+ CRLF' (x'0d25') was missing in the authorization header...
(I don't know exactly why that's necessary?)

Thanks for the suggestion about the HTTP_AUTH_USRDFN. We will look for using that in the future.

Kind regards,
Guy
Post Reply