basicauthentication | Community Creatio

15:51 Apr 10, 2024

Hi Expert ,

I am trying to use Creatio api with basic authentication . I am following below links :

https://documenter.getpostman.com/view/10204500/SztHX5Qb#46f97170-d66d-…;

NotWorking in PostMan : As per documention it's not working in postman. Stored BPMCSRF value from Response Header Cookie of Token Request and call get api with BPMCSRF / ForceUseSession headers key with it's value .Removed cookies from get request. Send the the get request it's giving a html response without any error details.

Working in PostMan : In PostMan Send Token request then send get request (https://steuler.creatio.com/0/odata/Product?$top=1) without set any Header keys it's working fine. In this scenario i can see token request response header cookie values are sending bydefault by Postman in the get request.

NotWorking in Consol Application : As per 2nd scenario i am trying to send a Get api request with token generate Response header cookies values but it's showing html error without any error details

NotWorking in Consol Application : As per documentation Stored BPMCSRF value from Response Header Cookie of Token Request and call get api with BPMCSRF / ForceUseSession headers key with it's value .But showing html error without any error details.

i have attached my screen shots for reference.From my side any configuraration need to be changed Creation envionment for that my scenario Can you give me any proper documents which i can follow and will be worked ?

below is my console application code :

// Create HttpClient

using (HttpClient httpClient = new HttpClient())

{

// Create HttpRequestMessage

HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, @"https://steuler.creatio.com/0/odata/Product?$top=1");

// Set request headers

request.Headers.Add("Accept", "application/json");

request.Headers.Add("ForceUseSession", "true");

request.Headers.Add("BPMCSRF", "YtuvyS.WPYmW5BChY5anK.");

// Send the request

HttpResponseMessage response = httpClient.SendAsync(request).ConfigureAwait(false).GetAwaiter().GetResult();

// Check response status

if (response.IsSuccessStatusCode)

{

string responseData = response.Content.ReadAsStringAsync().ConfigureAwait(false).GetAwaiter().GetResult();

}

}

Thanks and Regards

Surajit Kundu

2 comments

Ryan Farley

18:46 Apr 10, 2024

I don't see in your code the call to authenticate. I assume that you're previously calling /ServiceModel/AuthService.svc/Login somewhere to get the BPMCSRF value? See https://documenter.getpostman.com/view/10204500/SztHX5Qb#46f97170-d66d-…

Note, the BPMCSRF value doesn't last forever, so it does need to be a recently obtained value.

This article shows the complete steps for executing requests via Postman which might help: https://academy.creatio.com/docs/8.x/dev/development-on-creatio-platfor…

Ryan

Surajit kundu

20:44 Apr 11, 2024

Ryan Farley,

Thanks for your reply . Below is my token generation code from where i have taken cookies value for my 2nd request .Before i have not attached that token generation part as these is working fine. In postman it's working fine using Cookies based authentication.In my Console application i am sending all the Cookies (BPMLOADER, .ASPXAUTH, BPMCSRF, and UserName) as a Header Key and value in further requests to Creatio services that use cookie-based authentication but it's showing Html Error ?

static async Task<Dictionary<string, string>> TokenGenerateDictionary()

{

var headerCookies = new Dictionary<string, string>();

using (var client = new HttpClient())

{

client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

using (var request = new HttpRequestMessage(HttpMethod.Post, @"https://steuler.creatio.com/ServiceModel/AuthService.svc/Login"))

{

request.Content = new StringContent($"{{\"UserName\":\"ram\",\"UserPassword\":\"abcd\"}}", Encoding.UTF8, "application/json");

var response = client.SendAsync(request).Result;

var responseString = await response.Content.ReadAsStringAsync();

JObject responseJson = JObject.Parse(responseString);

int code = (int)responseJson["Code"];

if (code == 0 && response.IsSuccessStatusCode)

{

foreach (string setCookieHeader in response.Headers.GetValues("set-cookie"))

{

string[] cookies = setCookieHeader.Split(';');

if (cookies.Length > 0)

{

string[] keyValue = cookies[0].Trim().Split('=');

if (keyValue.Length == 2)

{

string key = keyValue[0];

string value = keyValue[1];

if (!headerCookies.Keys.Contains(key))

headerCookies.Add(key, value);

}

}

}

}

}

}

return headerCookies;

}

Request Get Operation send cookies in Header Key :

var tokenHeaderCookiesData = TokenGenerateDictionary().ConfigureAwait(false).GetAwaiter().GetResult();

string requestUri = @"https://steuler.creatio.com/0/odata/Product?$top=1";

using (HttpClient httpClient = new HttpClient())

{

HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUri);

foreach (string key in tokenHeaderCookiesData.Keys)

{

//BPMLOADER, .ASPXAUTH, BPMCSRF, and UserName

if (key== "BPMLOADER" || key == ".ASPXAUTH" || key == "BPMCSRF" || key == "UserName")

request.Headers.Add(key, tokenHeaderCookiesData[key]);

}

HttpResponseMessage response = httpClient.SendAsync(request).ConfigureAwait(false).GetAwaiter().GetResult();

string responseData = response.Content.ReadAsStringAsync().ConfigureAwait(false).GetAwaiter().GetResult();

}

Html Error Response with status OK:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" culture="en-US">

<head><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="fontiran.com:license" content="LAXSN" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>

   Creatio

</title>

   <style>

       .font-preload {

           position: absolute;

           opacity: 0;

       }

       .font-preload-open-sans {

           font-family: "Bpmonline Open Sans";

       }

       .font-preload-open-sans-light {

           font-family: "Bpmonline Open Sans Light";

       }

       .font-preload-open-sans-bold {

           font-family: "Bpmonline Open Sans Bold";

       }

   </style>

<script type="text/javascript" src="https://steuler.creatio.com//core/8dc3ccad339641a4ecd1ecb0b57f017d/Terr…"></script>

<script type="text/javascript" src="https://steuler.creatio.com/api/ClientScript/GenerateLoginScripts"></script>

<script type="text/javascript" src="https://steuler.creatio.com//core/057665f97324038f6c7c326b6734de6b/requ…" data-main="https://steuler.creatio.com//core/0fbfa51b1de27f89696f0f8d31da5f16/Terr…" async></script>

<script type="text/javascript"></script>

</head>

<body>

   <div class="font-preload">

       <span class="font-preload-open-sans">_</span>

       <span class="font-preload-open-sans-light">_</span>

       <span class="font-preload-open-sans-bold">_</span>

   </div>

   <form name="IndexForm" method="post" action="./NuiLogin.aspx?ReturnUrl=%2f0%2fodata%2fProduct%3f%24top%3d1&%24top=1" id="IndexForm">

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="+mvmSAOrSFVSNU1VvvnnAv5lt45aMHGRIkN033uMqlv/X2Fn2421RrzZayJqLBBTzwEnVTCtLeOrFnkbGP1c32c1p4dJwgJeute2MMWvNkRY1wHA" />

Thanks

Surajit Kundu

Show all comments

Authorization API send more than one Set-Cookie header

Anusha

22:41 Sep 11, 2021

From the /ServiceModel/AuthService.svc/Login authorization API respond with 4 Set-Cookie headers in the response. But according to the spec [https://datatracker.ietf.org/doc/html/rfc6265#section-4.1] , "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name." From the client application, it can't get the all 4 header values, only first one retrievable. Could you please give a fix or suitable workaround for this.

2 comments

Best reply

Bogdan Lesyk

11:35 Sep 13, 2021

Hi Anusha,

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies:

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

https://datatracker.ietf.org/doc/html/rfc6265#page-7

Best Regards,

Bogdan L.

Bogdan Lesyk

11:35 Sep 13, 2021

Hi Anusha,

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies:

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

https://datatracker.ietf.org/doc/html/rfc6265#page-7

Best Regards,

Bogdan L.

Anusha

15:11 Sep 13, 2021

Bogdan Lesyk,

Thanks Bogdan. It was really helpfull, will check alternative way to process from the client API side.

Show all comments

Basic authentication for custom configuration services

M Shrikanth

09:20 Jul 09, 2020

Hello Community!

The Creatio documentation suggests that basic authentication is only available for the OData API and not for a custom configuration web service. Anonymous/Forms authentication are the only 2 ways to authenticate for configuration web services. Would like to reconfirm this.

A typical system integration use case is the following -

1. Creatio pings an external product/system asking it to do some asynchronous processing.

2. External product/system pings a Creatio custom configuration call back to inform it regarding the status.

Typically, external products only permit registering a callback URL and do not provide for customization to do forms authentication with Creatio. How does one over come this? One way is to make the call back permit anonymous authentication but this is a bad security practice. Is there a way to enable basic authentication for custom configuration services on Creatio?

4 comments

Dennis Hudson

13:48 Jul 09, 2020

Hello!

Custom configuration service becomes available after user authentication via the AuthService.svc. If you don't have a possibility to call it directly from your integration you can create another layer of service from your side to send a response from external product and call auth service and after that configuration web service.

https://academy.creatio.com/documents/technic-sdk/7-16/creating-configuration-service

Best regards,

Dennis

M Shrikanth

14:10 Jul 09, 2020

Dennis Hudson,

Hi Dennis. We are not in a position to do any customization on the external system side.

Is there anything we can do on Creatio's side to facilitate this?

Dennis Hudson

15:17 Jul 09, 2020

M Shrikanth,

The only way to bypass the Auth service for configuration web services is to create an anonymous web service. As a workaround, you can path login and password to the method in this service and check the validity of credentials in this service using auth service.