I have created an API on Azure API Management with this operation:
POST https://example.azure-api.net/product/check
content-type: application/json
{
"productId":"a77swsa2"
}
productId is a string that cannot have more than 8 characters. How can I protect the API on Azure APIM so that I reject all requests that include a productId of more than 8 characters? Now I see it is possible to paste huge strings and it is all sent to the backend.
You can do that in two ways:
Manually using choose policy and context.Request.Body.As<Jobject>() to parse request body as JObject and then inspect "productId" to check its length and if it's larger than 8 characters use return-response policy to fail the request.
If your API's schema is correct, you can make use of validate-content policy.
Related
I am building a Web API for which the plan is to do OAuth Authentication using Azure AD. The API code is using Microsoft's Owin library and Identity.Web to validate the token once received in HTTP Request header. The challenge is that when I generate client secret from Azure AD and provide that in Web API code to validate received token, there is an error -
The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
Have tried generate client secret multiple times but all trial has resulted in invalid base64 secret. Is there a way to generate base64 compatible client secret from Azure AD because MS Own library needs it that way? Can Azure AD be used for OAuth authentication?
Thanking all in advance.
The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
The above error occurs that when your token is not a valid Base64 encoded string and also you should verify that the base64string length is a multiple of 4 and that it is valid.
In order to correct this, you may have to try to pad it and change - to + and to / as follows:
public static byte[] DecodeUrlBase64(string s)
{
s = s.Replace('-', '+').Replace('_', '/').PadRight(4*((s.Length+3)/4), '=');
return Convert.FromBase64String(s);
}
Your code required encodedbase64 format but token is decoded base64 this may cause the error so try the above code.
Reference:
c# - The input is not a valid Base-64 string as it contains a non-base 64 character - Stack Overflow
I am recently working with Uipath Orchestrator API and I see that they use Bearer token to authenticate. But I am confused and I do not know if this way of authentication is oAuth or it can just be called Bearer Authentication.
So for API authentication, it depends on what orchestrator you are using.
On-Premise
If you are using an on-premise installation of Orchestrator you would send the following JSON body to your Yourorchestrator.com/api/Account/Authenticate
{
"tenancyName":"default",
"usernameOrEmailAddress":"your username",
"password":"your password"
}
you will get a JSON string returned and you want to extract the value for key result this is your authentication token.
Now that you are authenticated you can send your requests with the following header
Name - Authorization
Value - Bearer + your token from above
This is your authentication done.
Cloud
If you are using UiPath cloud instance of orchestrator you will need to send the following JSON body
{
"grant_type" : "refresh_token"
"client_id" : "ClientId"
"refresh_token" : "UserKey"
}
ClientId and UserKey are generated through the cloud instance of Orchestrator
You must also send the following header along with the JSON Body
Name - X-UIPATH-TenantName
Value - Your tenant logical name from orchestrator
Similar to the on-site orchestrator, this will return an authentication token, however, you will need to extract the value for key access_token.
To use this, you send the request with the following 2 headers
Name - Authorization
Value - Bearer + your token from above
Name - X-UIPATH-TenantName
Value - Your tenant logical name from orchestrator
There are some quite useful examples at https://postman.uipath.rocks/?version=latest
It can be quite fiddly to start with, and on-prem Orchestrator is definitely easier to connect with than Cloud orchestrator. I would definitely recommend using Postman to build your API calls
I am new to Zapi(Zephyr API).
Question 1: I am one of Jira user in my project. Jira admin has installed ZAPI(trial version).
Now as a regular user will i able to access ZAPI API's with user ID and credentials
Question 2:
I am trying to evaluate GET call
Endpoint : https://zephyr-cloud/rest/zapi/latest/systemInfo
Headers i am using in postman
Authorization": " Basic " + b64encode(username + ":" + password)
Content-Type:application/json
Please let me know, what I am missing here or else is there any other way I can get access to fetch details.
Thanks
You need to parse session random value from key "AO-7DEABF" (or similar)
from HTML page after authorization into Jira
add then add this (key: value) to each ZAPI request during the session as header
What error are you getting?
Only Authorization and content-type is required for making request via postman. You can encode the username/password from https://www.base64decode.org/ and directly put the encoded value (it will start with the word "basic").
How can I locally reproduce the https GET call that my Azure Scheduler job would execute that uses Basic Authentication with a username/password?
I know I can just type in the URL in the browser to hit the action in my MVC controller, but how does Azure Scheduler send the username/password?
If Azure Scheduler uses Basic Authentication then it will send the username and password as Base64 encoded Authorization header.
The username and password are combined into a string separated by a colon, e.g.: username:password
The resulting string is encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line.
The authorization method and a space i.e. "Basic " is then put before the encoded string.
So for example if your username=john and password=secret, the Authorization header would look like this:
Authorization: Basic am9objpzZWNyZXQ=
So you should make the following HTTP request:
GET /yourcontroller/youraction HTTP/1.1
Authorization: Basic am9objpzZWNyZXQ=
Connection: close
I have an external tool which I connected to my D2L site through LTI. When a student completes his work, I want the tool to send the grade back to the LMS.
I receive a "Not authenticated" message from D2L when sending the grade with the XML payload. How do I authenticate my grade posting?
The authentication required is down to how it must be done as described in the LTI 1.1 implementation guide. In particular (from LTI 1.1 impl guide), pay attention to section 4: LTI Security Model and section 6.1: LTI Basic Outcome Service.
Quick summary of requirements, I believe (as per section 4.3: Security for application/xml Messages):
form up the POX (plain 'ol XML) body
calculate the body hash value
set the oauth_body_hash parm to this value
sign the request as per Oauth signing rules, and note that the oauth_body_hash must be included in the base string to sign together with the other request parms
transmit the oauth_body_hash parm along with the OAuth parms in the signed request
D2L highly recommends that implementors use a reliable OAuth standard library for their particular platform to do the signature generation and verification, rather than attempt to implement the OAuth signing/verification algorithm on their own.
Note that the Oauth parms in this case get transmitted in the request header and not in the body data. The IMS spec itself contains an example of what the body should look like (sec 4.3):
POST http://www.imsglobal.org/developers/BLTI/service_handle.php HTTP/1.0
Host: 127.0.0.1:80
Content-Length: 757
Authorization: OAuth realm="",oauth_version="1.0",
oauth_nonce="29f90c047a44b2ece73d00a09364d49b",
oauth_timestamp="1313350943",oauth_consumer_key="lmsng.school.edu",
oauth_body_hash="v%2BxFnmDSHV%2Fj29qhxLwkFILrtPo%3D",
oauth_signature_method="HMAC-SHA1",
oauth_signature="8auRpRdPY2KRXUrOyz3HKCs92y8%3D"
Content-type: application/xml
<?xml version = "1.0" encoding = "UTF-8"?>
<imsx_POXEnvelopeRequest xmlns = "http://www.imsglobal.org/services/ltiv1p1/xsd/imsoms_v1p0">
<imsx_POXHeader>
<imsx_POXRequestHeaderInfo>
<imsx_version>V1.0</imsx_version>
<imsx_messageIdentifier>999999123</imsx_messageIdentifier>
</imsx_POXRequestHeaderInfo>
</imsx_POXHeader>
<imsx_POXBody>
<readResultRequest>
<resultRecord>
<sourcedGUID>
<sourcedId>3124567</sourcedId>
</sourcedGUID>
</resultRecord>
</readResultRequest>
</imsx_POXBody>
</imsx_POXEnvelopeRequest>