[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Problem authenticating for admin functions of Handle 8.1 REST API via Authoriztion: Handle

Here, I think the issue is with the second colon.

Basic auth uses a Base64-encoded username:password string where username and password are separated by a literal colon.

Unfortunately the Handle notion of "username" also uses a colon to separate index and handle, and handles might include colons.  *Those* colons must be percent-encoded.  But the colon separating "username" from password must *not* be percent-encoded.

So, try 

    var id_prefix = "310%3A1712/admin:";

and see if that resolves the issue.

You can simplify your code a bit.  In this case, you really can concatenate before converting to bytes, because the username and password are just strings.  Also, in this particular case, you know that your string is ASCII only and so can use the built-in JavaScript "btoa" function to convert to Base64.  (Do note that btoa does not in general work with non-ASCII strings.)

So: var signature = btoa("310%3A1712/admin:test");

Robert

> On 2016-02-01, at 16:41, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
> 
> Robert,
> 
>  Thank you for the quick response. 
> 
> I found the SimpleAuthExample.js and saw what I was doing wrong with challenge-response authorization for HS_SECKEY. Still your reply was helpful. Watching the requests/responses going through proxy helped me understand the logic: a session is created and authenticating for,  then a reduced Authorization header used to perform admin operations. 
> 
> My first choice was using Authorization: Basic xxx header, just as you advise. However, that did not work. Here's what I did. Please let me know where I went wrong, as I'd like to use Basic auth.
> 
> 1. Generate auth token using HS_SECKEY of a handle
> 
> var id_prefix = "310%3A1712/admin%3A" 
>  (URL encoded string "310:1712/admin:")
> var id_prefix_bytes = cnri.util.Encoder.Utf8.bytes(id_prefix)
> var pwd_bytes = cnri.util.Encoder.Utf8.bytes(pwd);
>  (pwd is just UTF-8 encoded string of "test")
> var signatureBytes = concatBytes(id_prefix_bytes, pwd_bytes)
> var signature = cnri.util.Encoder.Base64.string(signatureBytes);
>  (The resultant value is "MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==")
> 
> 2. Issue an admin request with Authorization: Basic <token>
> 
> curl -k -v -X DELETE -H "Authorization: Basic MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==" https://128.104.47.219:8000/api/handles/1712/test
> 
> *   Trying 128.104.47.219...
> * Connected to 128.104.47.219 (128.104.47.219) port 8000 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * Server certificate: anonymous
>> DELETE /api/handles/1712/test HTTP/1.1
>> Host: 128.104.47.219:8000
>> User-Agent: curl/7.43.0
>> Accept: */*
>> Authorization: Basic MzEwJTNBMTcxMi90ZXN0JTNBdGVzdA==
>> 
> < HTTP/1.1 401 Unauthorized
> < WWW-Authenticate: Basic realm="handle"
> < WWW-Authenticate: Handle sessionId="1p879ay2k1wgjqmrtbq881fef", nonce="mvSVQm0ny3WH+n0Do9bpNg=="
> < Content-Length: 0
> < 
> * Connection #0 to host 128.104.47.219 left intact
> 
> Ev
> 
> ________________________________________
> From: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
> Sent: Monday, February 1, 2016 2:01 PM
> To: Evguenia Krylova
> Cc: handle-info@cnri.reston.va.us
> Subject: Re: [Handle-info] Problem authenticating for admin functions of        Handle 8.1 REST API via Authoriztion: Handle
> 
> The problem I see here is that signatureRaw concatenates strings, then extracts the UTF-8 bytes from the results.  Instead, extract bytes and concatenate bytes:
> 
>    var serverNonceBytes = cnri.util.Encoder.Base64.bytes(nonce);
>    var clientNonceBytes = cnri.util.Encoder.Base64.bytes(cnonce);
>    var passwordBytes = cnri.util.Encoder.Utf8.bytes(pwd);
>    var bytesToDigest = concatBytes4(passwordBytes, serverNonceBytes, clientNonceBytes, passwordBytes);
>    var signatureBytes = libpolycrypt.sha1(bytesToDigest);
>    var signature = cnri.util.Encoder.Base64.string(signatureBytes);
> 
>    function concatBytes4(a, b, c, d) {
>        var result = new Uint8Array(a.byteLength + b.byteLength + c.byteLength + d.byteLength);
>        result.set(new Uint8Array(a), 0);
>        result.set(new Uint8Array(b), a.byteLength);
>        result.set(new Uint8Array(c), a.byteLength + b.byteLength);
>        result.set(new Uint8Array(d), a.byteLength + b.byteLength + c.byteLength);
>        return result;
>    }
> 
> That said, if you are using HS_SECKEY, you should probably just use HTTP Basic Auth.
> 
> Robert
> 
>> On Jan 29, 2016, at 5:15 PM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>> 
>> Could someone post a complete example for authentication via Authorization: Handle using HS_SECKEY?
>> 
>> Following Handle 8.1 docs, I tried using JS libraries of admin application to build the
>> Authorization header, but it is not working. Here's how I did this.
>> 
>> 1. Send a DELETE request for an existing handle with out authentication info.
>> curl -k -v -X DELETE https://128.104.47.219:8000/api/handles/1712/test
>> 
>> < HTTP/1.1 401 Unauthorized
>> < WWW-Authenticate: Basic realm="handle"
>> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w=="
>> < Content-Type: application/json;charset=UTF-8
>> < Content-Length: 41
>> * Connection #0 to host 128.104.47.219 left intact
>> {"responseCode":402,"handle":"1712/test"}
>> 
>> 2. Use the info from the challenge response above to construct the Authorization header.
>> 
>> pwd = "xxx"
>> nonce = "k51RBUk2rrCpDZkT/++o2w=="
>> cnonce = "/rF3GxOoWYeoQuuPXcRAJw=="
>> signatureRaw = pwd+nonce+cnonce+pwd
>> ("xxxk51RBUk2rrCpDZkT/++o2w==/rF3GxOoWYeoQuuPXcRAJw==xxx")
>> signature = cnri.util.Encoder.Base64.string(libpolycrypt.sha1(cnri.util.Encoder.Utf8.bytes(signatureRaw))) =
>> ("ECiTL+CMVnadRTFjfZbiNAPIMtY=")
>> 
>> 3. Issue a DELETE request for the handle with Authorizaiton header.
>> 
>> curl -k -v -X DELETE -H 'Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="ECiTL+CMVnadRTFjfZbiNAPIMtY="' https://128.104.47.219:8000/api/handles/1712/test
>> 
>> *   Trying 128.104.47.219...
>> * Connected to 128.104.47.219 (128.104.47.219) port 8000 (#0)
>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> * Server certificate: anonymous
>>> DELETE /api/handles/1712/test HTTP/1.1
>>> Host: 128.104.47.219:8000
>>> User-Agent: curl/7.43.0
>>> Accept: */*
>>> Authorization: Handle version="0", sessionId="1ee6f696alwg8bh2rrddhsw28", cnonce="/rF3GxOoWYeoQuuPXcRAJw==", id="310:1711/ekrylova", type="HS_SECKEY", alg="SHA1", signature="i5R9C5AXnANlkYU9zi1ahLHQh7s="
>>> 
>> < HTTP/1.1 401 Unauthorized
>> < WWW-Authenticate: Handle sessionId="1ee6f696alwg8bh2rrddhsw28", nonce="k51RBUk2rrCpDZkT/++o2w==", error="Identity not verified"
>> < Content-Length: 0
>> <
>> * Connection #0 to host 128.104.47.219 left intact
>> 
>> 
>> Ev
>> _______________________________________________
>> Handle-Info mailing list
>> Handle-Info@cnri.reston.va.us
>> http://www.handle.net/mailman/listinfo/handle-info
> 
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info