I am trying to generate the objects of an API OData Service in my application.
This service is a vendoring app by ERP SAP (version 2.0). The authorization header property is a Basic credential.
After I add the header and click the button to generate, the server returns an error 401 (not authorized), but the credentials are ok.
In the Postman the request returns the metadata correctly.
Analyzing the request with a sniffer http was verified that the wizard sends two requests. The first request returns a status 200 (OK), but the second request returns the status 401 and throws the error in the wizard.
How can I configure the wizard to stop sending two requests or simply add the header property with the credentials in the second request?
Related
Postman returns a 400 Bad Request error when trying to simulate a login request to an ASP.NET Core Web Application that has an authentication of individual user accounts stored in-app.
However, I am able to log in when using the default application template generated by Visual Studio. Using Chrome DevTools, it seems like the request is as follows:
Request URL: application/Identity/Account/Login
Request Method: POST
Content-Type: application/x-www-form-urlencoded
Form Data:
Input.Email: user's email address
Input.Password: user's password
__RequestVerificationToken: token
Input.RememberMe: user's selection of either true or false
I have unsuccessfully tried to simulate this using Postman as follows: Postman request headers and Postman request body
Postman returns a 400 Bad Request error without any additional information: Postman response with 400 error code
Please could you help me determine what is wrong in my request when attempting to simulate the login with Postman?
Edit: I did not write any custom code for this. It is the default template generated in Visual Studio. I tried looking for the function that gets called when I use the built-in login page
When I add a scaffold "Identity" to the project using Visual Studio, the login page is named Login.cshtml and it uses the default LoginModel. When I tried to debug with a breakpoint, I see that it calls a function named OnPostAsync in the LoginModel class.
However, when I use Postman, the breakpoint is not reached. Therefore, I think this may be because my current request structure is incorrect
Sometime this may help. Decorate your PageModel class with [IgnoreAntiforgeryToken(Order = 1001)]. The key is the Order parameter. The built-in [ValidateAntiforgeryToken] has an order of 1000, and therefore explicitly setting [IgnoreAntiforgeryToken] to anything greater than 1000 should resolve the issue.
refer - Disabling antiforgery token verification
I am trying to create a Webex team using the following process. But not working. I had created JWT token and exchanged it for access token which I had passed in to the Authorization header in the API call. But I keep getting the error message that I mentioned below. And another fact is I can execute the same API with GET method which returns the number of teams I had.I had followed steps in the webex developer site. But I can't create the team.
Request URL:
https://api.ciscospark.com/v1/teams
Request Method:
POST
The following is the header that I passed to the API
Accept:
application/json
Content-Type:
application/json
Authorization:
Bearer eyJhbGciOiJSUzI1NiJ9.eyJtYWNoaW5lX3R5cGUiOiJhcHB1c2VyIiwiY2x1c3RlciI6IlBGODQiLCJwcml2YXRlIjoiZXlKamRIa2lPaUpLVjFRaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJaXdpWVd4bklqb2laR2x5SW4wLi4zRnp6Mkh4c2k0TnI4Z24yMk03cm1BLjhtUnRIYUhOWXBkQ2ZydUR1d0s0MnJNMlhZTEZvNHJKN0NTTkJSQ21kZFRnNTdzUzZ1cUVxcjZFakQ0Yk1JOUY5NFluOWx6VGFWcnRHVkpLOGo2djNzX1VBaTJ2Rnk5TDl3Z05SaUlOczB3NU5yTkxLLUx3TDNQdGhiMzJEYzF2TlhGZkRtakFmSjlOZG1QeEdMQVYxWU9EVnhnNE5MbnpHNDczY24zaTJlbWlfdVBzbk9LRTZHYjEwMVBkekdCSVVQaGRwMkY4bVZhd3hzN2pxbUdzVmEtdXJaYXhpN243emZyaXBjUE5HZjNhSURWb011LVkzaXN0ak03U2s1Qno4TXcwNFZueXpGYWt4LWw0WHlfdUVJalpDeXNsNU56TGNTWkVHc2hJRnJsVHZmdzZZU1J4elV0cXJ2Y3hrX09GT01ZeFRsSDVvSXVsSXdXRWpVQ2o5RTBWZVJMNHB2Z3BQYTRkOE1zNHR6Tmh3cmNpRV9Hd0Fob0tmOE9oMEVQZTM4MmdaOW5wNFJvOWRVSnBnRGszR3NhYWx4ZmJubFRmMmt6RWVjQlJCa0NnSEJXRjhUZXNpdWZWV2djWktZX0E1dXh0aTlMSTB0Umk5X3ZsNjJuTy1uMlh5dm1VZlQxUUxLNmthamJwU01renRUOHdLRkxxLVdTVk54TUJlMWRid094Ni1nN0c3bldLZ1J5ZEpEVEdrazMtRW9wbVRURnZhTEk2dkp6S3NGTzlGRUFJVld1ZFd2RWlWWjVXdVN3dS5yS3RJTzZ6aVpFVE1XV3ZhOEVZaElnIiwicmVmZXJlbmNlX2lkIjoiODlkNjdlZDUtOTU5My00YjBjLWI0MGEtMGFjOTE0OTZlZjZkIiwiaXNzIjoiaHR0cHM6XC9cL2lkYnJva2VyLndlYmV4LmNvbVwvaWRiIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImNsaWVudF9pZCI6IkMzMTE3NzIzYTBhNGM5ODVhOGJkNmRkYTc2Zjc3NjZjNTEzMjRiNmY0MWJmNGZlZjFjMmM4Mjc4NGExZjI5NzVjIiwidXNlcl90eXBlIjoibWFjaGluZSIsInRva2VuX2lkIjoiQWFaM3IwWkRabU1XWXhaVEF0T0dGbU15MDBOR05oTFdKa09EY3RZVFZrTmpjM056STBNamhoTkRkaU9XVXlNbU10TkdOaiIsInVzZXJfbW9kaWZ5X3RpbWVzdGFtcCI6IjIwMTkwNTI3MDQxNzQ4LjEwMloiLCJyZWFsbSI6IjM5ZWQ0NDRmLTU2NGUtNDFlNC05N2VkLWI4MWFmNzM0ZWVkMCIsImNpc191dWlkIjoiNjJkZWU2NjktNDE5OC00N2YzLWE2ODgtNzA4YWQxM2VjNDc3IiwiZXhwaXJ5X3RpbWUiOjE1NTg5NTIyNzA0NTB9.VNUms24YsiwNbU_KN0Y7v1osAilq1MMiIQn6DRnyNitJAgeTLuyrwiYM0JIaox-dQxQKBp897uAj9vksg0ik2-j2MddcRmx4gsVF787uw7VpCIiZNNME346__xddvmmttna7IErBTz84hqZsnvSlmKLpus4lQs_k9I8ZHTsuPJ9FRXPry6ZAmPjDk1uWGGWFXyOSgH-VkDj9hY9Fy_6r7MKIn0YV21dxIKaZVZ6DMo1NSJM68I-90Vv-QbQY3gBeH25ZXDNDDBJg6-woMF2QPk_N8zrL8G1WPRXxGAA_lqGr_qGq65CfOwuqGikpLsRtjhWU4sYDX3xrK918W08CFw
This is the parameter I passed to the API
name=hearingteam
This is the server response
{"message":"The request could not be understood by the server due to malformed syntax.","errors":[{"description":"The request could not be understood by the server due to malformed syntax."}],"trackingId":"ROUTER_5CEB64F0-FC8D-01BB-05C2-7AA62A6905C2"}
The API requires parameters to be passed in JSON format.
Eg : JSON.stringyfy({"name":"hearingteam"});
I'm using the vanilla Identity 2.x for authentication in my MVC website. The client side, angularjs is sending a post request to Account controller's Login method.
Now the use case is to reject the http post request with a Http Status Code 401.1 when the User is disabled.
Vanilla Login method returns a bool value based on login success or failure.
I tried sending a Http response with StatusCode set as 401 but the browser receives a 200 OK with the 401 in a header variable.
How do I send a response with 401 and not get it hijacked by the 200 code.
If I use HttpUnauthorized, the browser receives a 500 internal server along with the entire aspx page contents.
I'm using MVC 5.2, C# 6.0
You should throw proper exception - HttpResponseException. Try do it like that:
var message = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = "ohhh no!" };
throw new HttpResponseException(msg);
We implemented custom authentication. User name and password are send in request body. If user or password is invalid then Server returns HTTP 401. Server is implemented with C#, MVC3 and .NET 4.0.
We faced the problem that if client received 401 then it automatically resends the same request 2 times. Actually this is issue for iOS only. iOS guys said that it happens on low level and it is out of control in application. So probably server should be able to say client do not send request again.
This is problem for us because we use Active Directory and in case of invalid password we spend 3 attempts instead of just one. So account becomes locked very soon and unexpectedly.
I found this document that says
401 Unauthorized
... The client MAY repeat the request with a suitable Authorization header field.
How to return HTTP 401 and say to client DO NOT repeat request anymore?
You may use 403 instead:
From W3 site:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
Indeed, this is a little tricky: 403 seems more appropriate when authentication was successful, but the resource requested is not allowed for the specific user, which is not your case. However, 403 means client should not repeat authentication, and this is what you want.
If the login page is to be interpreted only by humans, then you may consider returning "200 OK" and simply display the login page again (perhaps with a visible indication to the user that the login has failed).
I created authorize attribute in some controller. When my browser using jquery call this api to get data, it gets unauthorized 401 status code, my browser always show authencation popup. It is ugly. I think it can be resolved by remove WWW-Authenticate header? How do I remove it in Web API.
Thanks a lot!
According to the HTTP specification, when responding with status code 401, the server MUST include a WWW-Authenticate header.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.htmt