Azure Message Queue -Generate Shared Access Signature - azure

I'm having trouble trying to send a POST message to an Azure SB Queue using PostMan.
The error I get is 401 40103: Invalid authorization token signature
My issue is generating the SAS as I'm trying to follow various articles and examples but I must be missing/overlooking/not understanding something.
If I describe what I've done, hopefully it'll become obvious where I'm making a mistake.
My Queue URL is https://GTRAzure.servicebus.windows.net/subscriptionpreference
My Policy is Submit
I've chosen an expiry date for December: 1512086400
My string-to-sign is https://gtrazure.servicebus.windows.net/subscriptionpreference\n1512086400 which is then encoded as https%3A%2F%2Fgtrazure.servicebus.windows.net%2Fsubscriptionpreference%5Cn1512086400
I then sign this using the Primary Key I get from the Submit policy. I'm using this to test: https://www.freeformatter.com/hmac-generator.html
This generates a code like 425d5ff8beb8da58e6f97e45462037e25ea56bcb63470f9b28761fa012f61090 using SHA-256 Which I then base-64 encode to get NDI1ZDVmZjhiZWI4ZGE1OGU2Zjk3ZTQ1NDYyMDM3ZTI1ZWE1NmJjYjYzNDcwZjliMjg3NjFmYTAxMmY2MTA5MA==
I then put it all together to get this which I place in the text of the Authorization header
SharedAccessSignature sig=NDI1ZDVmZjhiZWI4ZGE1OGU2Zjk3ZTQ1NDYyMDM3ZTI1ZWE1NmJjYjYzNDcwZjliMjg3NjFmYTAxMmY2MTA5MA==&se=1512086400&skn=Submit=&sr=https%3A%2F%2Fgtrazure.servicebus.windows.net%2Fsubscriptionpreference%5Cn1512086400

I think the string to sign which you are providing is incorrect because \n is not getting treated as new line which generates encoded value as :
https%3A%2F%2Fgtrazure.servicebus.windows.net%2Fsubscriptionpreference%5Cn1512086400
which gives Authorization failure.
But if it is treated as new line, it will give value like this:
https%3A%2F%2Fgtrazure.servicebus.windows.net%2Fsubscriptionpreference%0A1512086400
which will not give error.

Related

Docusign error unauthorized_client when trying to generate the access token

I am using the Docusign REST API collection. Following the videos to set up and get access token. I successfully get the code from this URL:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id={clientID}&redirect_uri={URL}
I take the code returned, place it into my {codeFromURL} variable. I click on submit. I get an unauthorized_client error.
I verified the integration key, secret key were correctly encoded and used in the header authorization.
I searched everywhere. I can not figure out how to fix and get past this error. I am hoping someone on hear will be of some help.
Here is the snippet shown by postman. I replaced some of the values with asterisks for privacy.
POST /oauth/token HTTP/1.1
Host: account-d.docusign.com
Authorization: Basic Y2VmMDkxODktOWU4Yi00YzZhL******
Content-Type: application/x-www-form-urlencoded
Content-Length: 708
code=eyJ0eXAiOiJNVCIsImFsZyI6IlJTMjU2I*******&grant_type=authorization_code
Possible causes of this error can be:
"1- Valid integration key and Secret Key were replaced in Authorization: "Basic encodedBase64(integrationKey:SecretKey)" so it's the actual values you obtained from your DocuSign Developer Account. (the way you had the quotes suggest you have this as a string value without the actual values encoded).
2- The code is valid for 2 minutes only.
3- The same IK that was used to obtain the code is used in the header."
If the problem persisted after you verified these 3 possible root cause, thanks to open a ticket support to Docusign, in order we could make further research based on your Ids

GDAX signature example

I just can’t seem to get the signature right and I think some sample data would help me diagnose the problem. Can anyone offer some sample data to help me “calibrate” and make sure my code is functioning properly?
prehash string
base64-encoded secret
base64-decoded secret
sha256 HMAC using the base64-decoded secret key on the prehash string
base64-encoded result
I am working in VBA. Any additional tips/advice would be appreciated.
The answer is no one will provide you with the sample data you are requesting as that would mean they in a sense would be sharing their own private passphrase, API key and secret with you.
go to gdax.com and click on API.
Generate copy the generated passphrase (do not lose this)
Go thru remaining steps to generate API key and secret (do not lose this)
Use the API reference to create authentication requests (signing, HMAC, Etc.)
Consider an easier way to interact with REST API than VBA.
Sample data for "calibration" of your software can use the following inputs:
timestamp: 1517266319.000
method: GET
requestpath: /accounts
secret: D1/0wNj3wsKg8XcTs4KCfZUVzsHXIOW7w38Moj+YximHA5VQS7zAG47bgNSNGIGtFtYQ0vei2JiSPvX3JkBsA==
The correct signature for the above inputs is:
jQxycBtZQKEWUZjtIaFnD1zoUDQebGeHmoIW3KHvmtg=
This is confirmed by both the NodeJS and Python code samples.

DocuSign Authorization Code Grant flow returns invalid_grant error

The DocuSign documentation goes through an easy to follow authorization flow for code grant. I'm able to get the "code" from the initial GET request to /oath/auth but getting the tokens gives me an error of "invalid_grant" when I try in postman. I've followed the steps and have a request that looks like this using account-d.docusign.com for host:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MjMwNTQ2YTctOWM1NS00MGFkLThmYmYtYWYyMDVkNTQ5NGFkOjMwODc1NTVlLTBhMWMtNGFhOC1iMzI2LTY4MmM3YmYyNzZlOQ==
grant_type=authorization_code&code=ey2dj3nd.AAAA39djasd3.dkn4449d21d
Two other members of my team have also tried with their developer accounts and all are getting invalid_grant errors. Is this no longer supported or are there common errors associated with this error that we might be able to investigate?
Re-check all of your values.
I was also getting the same invalid_grant response and could not figure out why at first. It turns out that I had a typo in the Content-Type header. I was using application/x-www-form-urlencode instead of application/x-www-form-urlencoded.
You may not be, but if you are submitting the exact Authorization Header as you've posted it here in your question (MjMwNTQ2YTctOWM1NS00MGFkLThmYmYtYWYyMDVkNTQ5NGFkOjMwODc1NTVlLTBhMWMtNGFhOC1iMzI2LTY4MmM3YmYyNzZlOQ==) it will fail with that message.
That is the base64 value for the sample integration key and sample secret key provided in their documentation. If you decode that string with an online base64decoder it will result in 230546a7-9c55-40ad-8fbf-af205d5494ad:3087555e-0a1c-4aa8-b326-682c7bf276e9. This is the same sample integration key and secret in the documentation.
Check the Authorization header you are submitting by encoding your integration key and secret (integrationKey:secret) using this online base64encoder. This will make sure the issue isn't with your base64 encoding of your integration key and secret. Once you have that value make sure your Authorization uses the word Basic before the value you got from this website. (Basic base64stringFromOnlineEncoder)
Check that the code your are submitting in the body of the post is not the sample code from their documentation. ey2dj3nd.AAAA39djasd3.dkn4449d21d is the sample code from their documentation. You may just be using that in your question as a placeholder but if you are submitting any of those values it will return invalid_grant. Make sure that the body of your post does not have any leading or trailing spaces.
Have the correct Content-Type set application/x-www-form-urlencoded
Have the correct Authorization header set Basic base64EncodedIntegrationKey:Secret
Have the correct body using the valid code received from the GET request to /oauth/auth with no leading or trailing spaces, making sure you're not using the values from your question.
If you are still having trouble and you are not doing a user application but are doing a service integration you can use Legacy Authentication to get your oAuth2 token.
Alternative Method using Legacy Authentication for Service Integrations
This method does not use a grant code. You pass in the integration key, username and password into the X-DocuSign-Authentication header in JSON format.
Demo Server: demo.docusign.net
Production Server: www.docusign.net API
Version: v2
POST https://{server}/restapi/{apiVersion}/oauth2/token
Content-Type: application/x-www-form-urlencoded
X-DocuSign-Authentication: {"IntegratorKey":"your_integrator_key","Password":"docusign_account_password","Username":"docusign_account_username"}
grant_type=password&client_id=your_integrator_key&username=docusign_account_username&password=docusign_account_password&scope=api
If you are building a user application that requires the user enter their docusign credentials to generate the token, this alternative will not work for you.
For anyone who is facing this error, I'd like to point out this note in the documentation:
Note: The obtained authorization code is only viable for 2 minutes. If more then two minutes pass between obtaining the authorization code and attempting to exchange it for an access token, the operation will fail.
I was struggling with the same error until I spotted the note and sped up my typing to meet the 2 minutes.
Hope it helps someone else.
In my case the problem was related to having set a wrong value for Content-Type header, namely "application/x-www-form-URIencoded" instead of the correct "application/x-www-form-urlencoded". Note though that in my case the problem was not a "typo" but an excessive trust in DocuSign documentation.
Indeed the wrong Content-Type is, at the time of writing, suggested directly into the documentation page where they describe the Authorization Code Grant workflow, see the image below for the relevant part.
Hopefully they will fix the documentation soon but for the time being be careful not to blindly copy & paste the code from their examples without thinking, as I initially did.
anyone have an idea what is wrong here I am getting a BadRequest with the following
{"error":"invalid_grant","error_description":"unauthorized_client"}
var client = new RestClient(ESIGNURL);
var request = new RestRequest("/oauth/token");
request.Method = Method.POST;
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddHeader("Authorization", "Basic " + Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(integrationkey+ ":" + secret)));
string body = "grant_type=authorization_code&code=" + code;
request.Parameters.Clear();
request.AddParameter("application/x-www-form-urlencoded", body, ParameterType.RequestBody);
var response = client.Execute(request);
I was getting this error as well. What I realized is I was appending the state at the end of the code before passing it to the oauth token endpoint.
This snippet is from Docusign explaining what are some other reasons for getting that error.
Invalid-error explanation
I just spent a day doing this (in NodeJS). I'll add a couple of things to the answers from before. First, I had to put:
"Content-Type": "application/x-www-form-urlencoded"
in the header. Otherwise it gave me the message:
{
"error": "invalid_grant",
"error_description": "unsupported_grant_type"
}
Second, the base64 encoding:
I used this in NodeJS and it worked
const integration_key = process.env.INTEGRATION_KEY;
const secret_key = process.env.SECRET_KEY;
const authinfo =
integration_key.toString("utf8") + ":" + secret_key.toString("utf8");
const buff2 = Buffer(authinfo, "utf8").toString("base64");
If you use "base64url" it dosen't work because it strips the == off of the end of the string. The = symbol is used as padding and apparently it's needed. You see a similar difference on this site https://www.base64encode.org/ when you toggle the url safe encoding option. If you don't have the padding on the end of your base64 encoded string (or if it's generally incorrect) you get this message:
{
"error": "invalid_grant",
"error_description": "unauthorized_client"
}
Finally, if you're using Postman (I'm using DocuSign's Postman Collection) remember to reset and save the codeFromUrl variable after you update it. Otherwise it doesn't update and you get the message:
{
"error": "invalid_grant",
"error_description": "expired_client_token"
}
This means the old URL code has expired and your new one didn't save.

The security token format does not conform to expected schema

I get the following response on Postman when making a GET request on
https://www.docusign.net/restapi/v2/accounts/{myclientidhere}/
The demo account integrator key was certified and moved to prod. I made the request in exactly the same way I did for the demo account using the new username, password and the integrator key details in prod. What could be going wrong here?
<errorDetails xmlns="http://www.docusign.com/restapi" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<errorCode>INVALID_TOKEN_FORMAT</errorCode>
<message>The security token format does not conform to expected schema.</message>
</errorDetails>
Edit:
As suggested by DocuSign, am using na2 as our production account is residing in the na2 environment
My request follows:
GET
Endpoint
https://na2.docusign.net/restapi/v2/login_information
Headers
Content-Type: application/json
X-DocuSign-Authentication: {"Username":"x#x.com","Password":"xxxx","IntegratorKey":"xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}
Have downloaded the request logs but the list of logs all return 200 OK except the one looking for a profile image which I do not have so makes sense to receive a 404 not found as there is no image to link to. I don't see any other issues.
After working with the customer in the end we found the issue here was that they had the backslash (\) character in their password, which was being parsed as an escape sequence.
So basically the password was like:
a1b2#cd\%34
and the backslash was causing the error.
Just ran across the same problem. Apparently the " character is also disallowed in the password. Changed the password to exclude it and it now works fine.

Windows Azure - Set Blob Service Properties REST API Call Authentication parameter

I am trying to make a simple REST call to the Set Blob Properties API (http://msdn.microsoft.com/en-us/library/windowsazure/hh452235) to just turn off/on logging. I have gotten the REST API call to successfully work for retrieving Blob Properties, so I know my hashing algorithms, headers-setting, and Authentication signature creation works, but I can't seem to get it working on the Set Properties side of things. I keep getting an error on the Authentication Header, so I know I'm not doing something right there.
I have copied below what is being created and eventually hashed and put into the auth header string. The online documentation (http://msdn.microsoft.com/en-us/library/windowsazure/dd179428) does not really help in determining which of these fields are absolutely required for this particular type of Blob request, so I've tried filling most of them in, but I don't seem to get a difference response regardless of what I fill in. I've also tried the Shared Key Lite authentication, which would be preferred since it's much more lightweight, but that doesn't seem to work either when I fill in all 5 of those fields.
Shared Key Authentication for Blob Services:
PUT\n
\n
\n
130\n
(MD5_CONTENT_HASH)
\n
\n
\n
\n
\n
\n
\n
x-ms-date:Tue, 19 Jun 2012 19:53:58 GMT\n
x-ms-version:2009-09-19\n
/(MY_ACCOUNT)/\n
comp:properties\n
restype:service
Is there anything obvious I'm missing here? The values (MD5_CONTENT_HASH) and (MY_ACCOUNT) are of course filled in when I make the request call, and the similar request call to "GET" the properties works fine when I send it. The only difference between that one and this is that I'm sending the MD5_content, along with the content-length. I may be missing something obvious here, though.
Any advice would be greatly appreciated! Thanks in advance.
-Vincent
EDIT MORE INFO:
Programming Language I'm using: Objective-C (iOS iPhone)
I'm also using ASIHTTPRequest to make the request. I simply define the request, setRequestMethod:#"PUT", then I create the request body and convert it to NSData to calculate the length. I attach the request-body data via the appendPostData method to the request. I then build the auth string above, hash the whole thing, and attach it to the request as a header called "Authorization".
Request Body String I'm using:
<?xml version=\"1.0\" encoding=\"utf-8\"?><StorageServiceProperties><Logging><Version>1</Version></Logging></StorageServiceProperties>
I know this is an incomplete request body, but I was planning on waiting for it to give a failure on "missing request body element" or something similar, until I proceeded on creating the full XML there. (could that be my issue?)
Error I get from the server:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:accc4fac-2701-409c-b1a7-b3a528ce7e8a
Time:2012-06-20T14:36:50.5313236Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '(MY_HASH)' is not the same as any computed signature. Server used following string to sign: 'POST
130
x-ms-date:Wed, 20 Jun 2012 14:36:50 GMT
x-ms-version:2009-09-19
/(MY_ACCOUNT)/
comp:properties
restype:service'.</AuthenticationErrorDetail></Error>
What's odd is that the error I get back from the server seems to look like that, no matter how many parameters I pass into the Authentication signature.
Thanks for any help you can offer!
Comparing your signed string and the error message indicates that you're sending a POST request but signing as though you're sending a PUT.

Resources