Resolved Consume REST API with credentials

[AlexJames]

Hi All

I'm trying to consume a REST API, the issue i'm having is that i need to pass four credentials in the header, it's not just a "basic" authentication with user and password. I keep getting a "400 bad request" error and cant figure out where i'm going wrong. Please could someone point me in the right direction.

public string WebRequestCall(string url)
        {
            string username = "JohnDoe";
            string password = "Testing123";
            string collection = "ea85fbf3-5858-4348-bcab-08a8f39ad30c";
            string markasread = "False";

            var request = (HttpWebRequest)WebRequest.Create(url);
            request.Method = "GET";
            request.Accept = "application/json";

            string encodeUser = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(username));
            string encodePassword = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(password));
            string encodeCollection = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(collection));
            string encodeMarkAsRead = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(markasread));

            request.Headers.Add("Authorization", "Basic " + encodeUser);
            request.Headers.Add("Authorization", "Basic " + encodePassword);
            request.Headers.Add("Authorization", "Basic " + encodeCollection);
            request.Headers.Add("Authorization", "Basic " + encodeMarkAsRead);

            var content = string.Empty;

            using (var response = (HttpWebResponse)request.GetResponse())
            {
                using (var stream = response.GetResponseStream())
                {
                    using (var sr = new StreamReader(stream))
                    {
                        content = sr.ReadToEnd();
                        sr.Close();
                    }
                }
            }
            return content;
        }

 

[Skydiver]

Can you link to the API documentation that says you should pass your credentials that way? E.g. using the Authorization header multiple times. I find it more likely that it is supposed to be a single header with multiple values delimited. But again the only way to find out is for you to show us the documentation.

 

[NoUserHere]

I suggest reading : HTTP 400 Bad Request Error C# regarding the error.
And I conclude it may have something to do with your encoding : What encoding should I use for HTTP Basic Authentication? but as already noted in the links. You're receiving a response from the server, but it's the server that doesn't like your request. And as Skydiver pointed out, unless we know what your server actually expects, there is no way for us to trouble shoot this for you until you provide that information. If you can't do that, you need to go back to whoever provided you with the details to construct your request as you have, and seek further advice from them first.

 

[AlexJames]

Thank you for your replies Skydiver and Sheepings, unfortunately the client only provided me with the login credentials and url there's not much else in that e-mail. I had to contact the client's IT chap as I originally setup basic auth in postman and wasn't getting a response, he then informed me that the credentials need to be in the header as separate parameters. I got the communication working in VB6 as that was originally the clients idea, I didn't put any encoding in VB6, do i have to use encoding in dot net ?

 

[AlexJames]

I also attempted to send the header credentials in the same line as below but got the same error.

string encoded = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(username + ":" + password + ":" + collection + ":" + markasread));

 

[Skydiver]

I suggest asking the client for a sample request and response.

 

[AlexJames]

I suggest asking the client for a sample request and response.

Thanks Skydiver, I'll do that.
also trying to see if i can grab that data from Postman.

 

[AlexJames]

Hi All

managed to get it working, the issue was with the encoding, the below works perfectly.

            request.Headers.Add("username", username);
            request.Headers.Add("password", password);
            request.Headers.Add("collection", collection);
            request.Headers.Add("Markasread", markasread);

 

[Skydiver]

Wow. Talk about a non-standard way of sending authentication. Non-standard including that since those look to be non-standard headers, they should actually be named "X-username", "X-password", "X-collection" and "X-Markasread", not those current header names as shown in post #8. Oh well, it's the protocol that your client wants.

 

[NoUserHere]

the issue was with the encoding

And I conclude it may have something to do with your encoding

I called it, but I also think that your client; as in your customer, has some server-side changes to do too. When I first looked at your encoding, It's also not the standard for username/passwords. UTF8 is. All I will say is that I hope I never use this service to send data to.

 

[AlexJames]

I called it, but I also think that your client; as in your customer, has some server-side changes to do too. When I first looked at your encoding, It's also not the standard for username/passwords. UTF8 is. All I will say is that I hope I never use this service to send data to.

It's unfortunately one of those situations where the client for whatever reason cannot provide a good a spec of the work required, neither any API documentation, trial and error coding LOL.

 

[AlexJames]

Wow. Talk about a non-standard way of sending authentication. Non-standard including that since those look to be non-standard headers, they should actually be named "X-username", "X-password", "X-collection" and "X-Markasread", not those current header names as shown in post #8. Oh well, it's the protocol that your client wants.

I basically just replicated what i did in Postman, as per their suggestion. Without the proper API documentation who knows lol, at least it's working.

 

[NoUserHere]

at least it's working

Insecurely, and not by modern standards. Well, it's not your job...but they should be encoding/decoding.

 

[Skydiver]

Oh my god... The client is supposedly a big data and financial data integrator/warehouse based on our OP's other thread. If they messed up doing web protocols and security this badly, what else are they doing wrong?

 

[NoUserHere]

Wait until they experience a compromising situation. Its the only time they will pay more attention to their security advisers and the techies who brought it to their attention...I've seen this many times over the years, and it doesn't surprise me any more!

Just remind me never to use their services in the future.