WebDAV return 401 - How to authenticate? - authentication

I have a problem with WebDAV. I have to get a list of files. I have this request:
<?xml version="1.0"?>
<D:searchrequest xmlns:D = "DAV:">
<D:sql>
SELECT "DAV:displayname" FROM "address" WHERE "DAV:ishidden" = false AND "DAV:isfolder" = false
</D:sql>
</D:searchrequest>
Response:
401 - Unauthorized: Access is denied due to invalid credentials.
I have user and password (who has access), but I don't know, how I can put this data to XML request.

WebDAV uses an HTTP authentication.
So you put your credentials to an HTTP header, not to the WebDAV XML in the HTTP body.
The basic HTTP authentication works like:
You get a WWW-Authenticate header from the server
WWW-Authenticate: Basic realm="server"
You include the Authorization header to the next request. The value of the header is:
Authorization: Basic username:password
where the username:password is in Base-64 encoding.
Authorization: Basic dXNlcjpwYXNzd29yZA==
For details, see
Basic access authentication on Wikipedia
RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication

Related

Cannot read the Token when pass it to API

I am using JWT in order to authenticate the token. When I pass the request using postman API returns an error
'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'TokenValue!#%^&'
How to solve this
Postman request
http://localhost:52586/api/Doctor
Content-Type:application/json
Authorization:Bearer {{NurseAdminToken}}
Encode your token as Base64 string. and then send
so your Authorization header will be like:
Bearer e3tOdXJzZUFkbWluVG9rZW59fQ==
Refer this jwt
You have to pass access token in http request as a header.Please look it in below
GET /api/api/Notification/GetNotifications HTTP/1.1
Host: 192.168.2.50:4551
Authorization: bearer 7fc4Z5ui--NVhvIBBwEWzJXGAROd7TBYprY-
8aQNuoSS7GSjhtikGksKss78GzT7CYPlGfPmnl-
TlTpCOQ9nYU1JTpAEwBGftqLHOSMUmX2BCIvk92S-DMForqb2l-
Cache-Control: no-cache

Office 365 REST Calendar API for creating events failing with HTTP - 403 when authenticated using OAuth bearer token

My azure hosted web API uses the O365 Calendar and Mail REST APIs for creating events and mails on behalf of the users. All necessary permissions have been enabled for the corresponding Azure AD application. My question - Accessing the mail API using the Bearer OAuth token as part of the header succeeds but when I use the same token for the events API, it fails with a 403.
The Documentation I have been following for my implementation is the official msdn one and the update - https://social.msdn.microsoft.com/Forums/exchange/en-US/6fc135ae-f8f9-4b4d-b50b-f00a2bd79a30/office-365-rest-api-mail-calendar-contacts-update?forum=exchangesvrdevelopment
Fiddler trace (Raw view of request) -
POST https://outlook.office365.com/ews/OData/Me/Events HTTP/1.1
Accept: application/json
client-request-id: 00000000-0000-0000-0000-000000000000
Authorization: Bearer <OAuth token>
Content-Type: application/json; charset=utf-8
Host: outlook.office365.com
Content-Length: 287
Expect: 100-continue
{"Attendees":[{"EmailAddress":{"Address":"sample#sample.com","Name":null},"Type":"Required"}],"Body":{"Content":"Hello World","ContentType":"HTML"},"End":"2014-10-22T19:00:00Z","Location":{"DisplayName":"Conf Room M"},"Start":"2014-10-22T18:00:00Z","Subject":"Testing"}
Text view of response -
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
Fiddler trace of the Mail API request that works fine -
POST https://outlook.office365.com/ews/OData/Me/sendmail HTTP/1.1
Accept: application/json
client-request-id: 00000000-0000-0000-0000-000000000000
Authorization: Bearer <OAuth Token>
Content-Type: application/json; charset=utf-8
Host: outlook.office365.com
Content-Length: 171
Expect: 100-continue
Connection: Keep-Alive
{"Message":{"Body":{"Content":"Test","ContentType":"HTML"},"Subject":"test","ToRecipients":[{"EmailAddress":{"Address":"sample#sample.com","Name":null}}]}}
Considering that you are getting a 403 (Forbidden) error for one API, I'd suggest you review the resources enabled for the application. Can you make sure you have Write permissions for the Calendar API? I know you mentioned that you've done this before, I'm just checking in case of the small chance you missed those Write perms.
Sorry for having kept this question hanging.
The issue was with the ClientSecret (either had stale permissions on it or was wrong in the first place). Generating a new one via the management portal fixed this issue.

Datastore API always returning "dsid: Missing Value" error

I'm trying to follow the datastore API tutorial and this simple request (sent via Fiddler):
POST https://api.dropbox.com/1/datastores/get_or_create_datastore HTTP/1.1
User-Agent: Fiddler
Host: api.dropbox.com
Content-Length: 12
Authorization: Bearer [snipped]
dsid=default
always results in this error response:
HTTP/1.1 400 Bad Request
{"error": {"dsid": "Missing value"}}
The access token was created from the developer app console, and my test app has full dropbox permissions. Running the list_datastores API call succeeds and reports that I do have one datastore with a dsid of default.
I think you'll need a header of Content-Type: application/x-www-form-url-encoded, since you're sending form-encoded parameters.

NTLM-authenticaion fails but Basic authentication works

Here's what happens on the local server when application invokes HTTP request on local IIS.
request.Credentials = CredentialCache.DefaultNetworkCredentials;
request.PreAuthenticate = true;
request.KeepAlive = true;
When I execute the request, I can see the following series of HTTP calls in Fiddler:
Request without authorization header, results in 401 with WWW-Authenticate NTLM+Negotiate
Request with Authorization: Negotiate (Base64 string 1), results in 401 with WWW-Authenticate: Negotiate (Base64 string 2)
Request with Authorization: Negotiate (Base64 string 3), results in 401 with WWW-Authenticate: Negotiate (Base64 string 4)
Request with Authorization: Negotiate (Base64 string 3), results in 401 with WWW-Authenticate NTLM+Negotiate
Apparently the client and the server (both running on the same machine) are trying to handshake, but in the end authorization fails.
What is strange is that if I disable Windows authentication of the site and enable Basic authentication and send user/pwd explicitly, it all works. It also works if I use NTLM authentication and try to access the site from the browser specifying my credentials.
Well, after several hours of struggling I figured what the problem was. In order to be able to inspect network traffic in Fiddler I defined a Fiddler rule:
if (oSession.HostnameIs("MYAPP")) { oSession.host = "127.0.0.1"; }
Then I used "MYAPP" instead of "localhost" in the Web app reference, and Fiddler happily displayed all session information.
But server security was far less happy, so this alias basically broke challenge-response authentication on the local server. Once I replaced the alias with "localhost", it all worked.

twitter api issue

I'm integrating "Sign in with twitter account" function at my site.
So, I'm sending request to https ://twitter.com/oauth/request_token, getting token, making redirect to https ://twitter.com/oauth/authenticate?oauth_token=%oauth_token%
Then I recieving call back with oauth_token and oauth_verifier
This goes fine.
But than I need to call https ://api.twitter.com/1/account/verify_credentials.json to get authorizated client details
I'm sending:
GET https ://api.twitter.com/1/account/verify_credentials.json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: q=0.8,en-us;q=0.5,en;q=0.3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
X-Auth-Service-Provider: https ://api.twitter.com/1/account/verify_credentials.json
X-Verify-Credentials-Authorization: OAuth realm="http://api.twitter.com/", oauth_signature="acYFjEgUrTcyb4FMBoJF8MlwZGw%3D", oauth_timestamp="1286899670", oauth_consumer_key="%CONSUMER_KEY%", oauth_nonce="268310006", oauth_token="%oauth_token%", oauth_version="1.0", oauth_signature_method="HMAC-SHA1"
%oauth_token% - token got when twitter redirects me back the cleint
%CONSUMER_KEY% - my twitter account's consumer key
And getting back
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, max-age=300
Connection: close
Date: Tue, 12 Oct 2010 16:07:45 GMT
Server: hi
Vary: Accept-Encoding
WWW-Authenticate: Basic realm="Twitter API"
{"error":"Could not authenticate you.","request":"/1/account/verify_credentials.json"}
Can anyone plz advice me what's wrong here?
Thanks!
After you receive the callback you have to make request to POST oauth/access_token to exchange the temporary request_token for a permanent access_token associated with the user. Once you receive the access_token you can perform the GET account/verify_credentials request.
Here is a good flow chart explaining how the full OAuth process works.
Flow Chart
It sounds like you're two thirds of the way through the authentication. Now you need to exchange your authorised request token for a permanent access token.
You are using header to pass parameters (X-Verify-Credentials-Authorization), instead you should be using GET method. If you are using php Zend framework's OAuth component, then it should look like
$client->setMethod(Zend_Http_Client::GET);