[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle

Subject: Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
From: Evguenia Krylova <evguenia.krylova@wisc.edu>
Date: Mon, 01 Feb 2016 21:41:11 +0000
Accept-language: en-US
Authentication-results: cnri.reston.va.us; dkim=none (message not signed) header.d=none; cnri.reston.va.us; dmarc=none action=none header.from=wisc.edu;
Cc: "handle-info@cnri.reston.va.us" <handle-info@cnri.reston.va.us>
Delivered-to: handle-info-archive@cnriweb-cogent.cnri.reston.va.us
Delivered-to: handle-info@cnriweb.cnri.reston.va.us
In-reply-to: <D86F918A-D4D8-4588-8D89-4AB7BFB95FA3@cnri.reston.va.us>
List-archive: <http://www.handle.net/mailman/private/handle-info/>
List-help: <mailto:handle-info-request@cnri.reston.va.us?subject=help>
List-id: "Handle.Net Mailing List" <handle-info.cnri.reston.va.us>
List-post: <mailto:handle-info@cnri.reston.va.us>
List-subscribe: <http://www.handle.net/mailman/listinfo/handle-info>, <mailto:handle-info-request@cnri.reston.va.us?subject=subscribe>
List-unsubscribe: <http://www.handle.net/mailman/options/handle-info>, <mailto:handle-info-request@cnri.reston.va.us?subject=unsubscribe>
References: <BLUPR0601MB1588509507DA09FC82349314F6DB0@BLUPR0601MB1588.namprd06.prod.outlook.com> <D86F918A-D4D8-4588-8D89-4AB7BFB95FA3@cnri.reston.va.us>
Sender: handle-info-bounces@cnri.reston.va.us
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:23
Thread-index: AQHRXSt5nF/20ZvpHEu4RjzCyjP35p8Xqnb6
Thread-topic: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle

Robert,

  Thank you for the quick response. 

I found the SimpleAuthExample.js and saw what I was doing wrong with challenge-response authorization for HS_SECKEY. Still your reply was helpful. Watching the requests/responses going through proxy helped me understand the logic: a session is created and authenticating for,  then a reduced Authorization header used to perform admin operations. 

My first choice was using Authorization: Basic xxx header, just as you advise. However, that did not work. Here's what I did. Please let me know where I went wrong, as I'd like to use Basic auth.

1. Generate auth token using HS_SECKEY of a handle
 
var id_prefix = "310%3A1712/admin%3A" 
  (URL encoded string "310:1712/admin:")
var id_prefix_bytes = cnri.util.Encoder.Utf8.bytes(id_prefix)
var pwd_bytes = cnri.util.Encoder.Utf8.bytes(pwd);
  (pwd is just UTF-8 encoded string of "test")
var signatureBytes = concatBytes(id_prefix_bytes, pwd_bytes)
var signature = cnri.util.Encoder.Base64.string(signatureBytes);
  (The resultant value is "MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==")

2. Issue an admin request with Authorization: Basic <token>

curl -k -v -X DELETE -H "Authorization: Basic MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==" https://128.104.47.219:8000/api/handles/1712/test

*   Trying 128.104.47.219...
* Connected to 128.104.47.219 (128.104.47.219) port 8000 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: anonymous
> DELETE /api/handles/1712/test HTTP/1.1
> Host: 128.104.47.219:8000
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Basic MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==
> 
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="handle"
< WWW-Authenticate: Handle sessionId="1p879ay2k1wgjqmrtbq881fef", nonce="mvSVQm0ny3WH+n0Do9bpNg=="
< Content-Length: 0
< 
* Connection #0 to host 128.104.47.219 left intact

Ev

________________________________________
From: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
Sent: Monday, February 1, 2016 2:01 PM
To: Evguenia Krylova
Cc: handle-info@cnri.reston.va.us
Subject: Re: [Handle-info] Problem authenticating for admin functions of        Handle 8.1 REST API via Authoriztion: Handle

The problem I see here is that signatureRaw concatenates strings, then extracts the UTF-8 bytes from the results.  Instead, extract bytes and concatenate bytes:

    var serverNonceBytes = cnri.util.Encoder.Base64.bytes(nonce);
    var clientNonceBytes = cnri.util.Encoder.Base64.bytes(cnonce);
    var passwordBytes = cnri.util.Encoder.Utf8.bytes(pwd);
    var bytesToDigest = concatBytes4(passwordBytes, serverNonceBytes, clientNonceBytes, passwordBytes);
    var signatureBytes = libpolycrypt.sha1(bytesToDigest);
    var signature = cnri.util.Encoder.Base64.string(signatureBytes);

    function concatBytes4(a, b, c, d) {
        var result = new Uint8Array(a.byteLength + b.byteLength + c.byteLength + d.byteLength);
        result.set(new Uint8Array(a), 0);
        result.set(new Uint8Array(b), a.byteLength);
        result.set(new Uint8Array(c), a.byteLength + b.byteLength);
        result.set(new Uint8Array(d), a.byteLength + b.byteLength + c.byteLength);
        return result;
    }

That said, if you are using HS_SECKEY, you should probably just use HTTP Basic Auth.

Robert

> On Jan 29, 2016, at 5:15 PM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>
> Could someone post a complete example for authentication via Authorization: Handle using HS_SECKEY?
>
> Following Handle 8.1 docs, I tried using JS libraries of admin application to build the
> Authorization header, but it is not working. Here's how I did this.
>
> 1. Send a DELETE request for an existing handle with out authentication info.
> curl -k -v -X DELETE https://128.104.47.219:8000/api/handles/1712/test
>
> < HTTP/1.1 401 Unauthorized
> < WWW-Authenticate: Basic realm="handle"
> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w=="
> < Content-Type: application/json;charset=UTF-8
> < Content-Length: 41
> * Connection #0 to host 128.104.47.219 left intact
> {"responseCode":402,"handle":"1712/test"}
>
> 2. Use the info from the challenge response above to construct the Authorization header.
>
> pwd = "xxx"
> nonce = "k51RBUk2rrCpDZkT/++o2w=="
> cnonce = "/rF3GxOoWYeoQuuPXcRAJw=="
> signatureRaw = pwd+nonce+cnonce+pwd
> ("xxxk51RBUk2rrCpDZkT/++o2w==/rF3GxOoWYeoQuuPXcRAJw==xxx")
> signature = cnri.util.Encoder.Base64.string(libpolycrypt.sha1(cnri.util.Encoder.Utf8.bytes(signatureRaw))) =
> ("ECiTL+CMVnadRTFjfZbiNAPIMtY=")
>
> 3. Issue a DELETE request for the handle with Authorizaiton header.
>
> curl -k -v -X DELETE -H 'Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="ECiTL+CMVnadRTFjfZbiNAPIMtY="' https://128.104.47.219:8000/api/handles/1712/test
>
> *   Trying 128.104.47.219...
> * Connected to 128.104.47.219 (128.104.47.219) port 8000 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * Server certificate: anonymous
> > DELETE /api/handles/1712/test HTTP/1.1
> > Host: 128.104.47.219:8000
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="i5R9C5AXnANlkYU9zi1ahLHQh7s="
> >
> < HTTP/1.1 401 Unauthorized
> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w==", error="Identity not verified"
> < Content-Length: 0
> <
> * Connection #0 to host 128.104.47.219 left intact
>
>
> Ev
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

Follow-Ups:
- Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
  - From: Robert Tupelo-Schneck <schneck@cnri.reston.va.us>

References:
- [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
  - From: Evguenia Krylova <evguenia.krylova@wisc.edu>
- Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
  - From: Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>

Prev by Date: Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
Next by Date: [Handle-info] hsj 8 challenge response "Authentication via Authorization: Handle" via HS_PUBKEY python example.
Previous by thread: Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
Next by thread: Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle
Index(es):
- Date
- Thread