401 Authorization error only with POST method to World Check API

Question

question

rob.kent

21 ●0 ●3 ●4

401 Authorization error only with POST method to World Check API

I can call any GET method on the Refinitiv World Check API and everything is signed and works okay but when I try to POST a Case, I get a 401 error. It works fine from Postman using my key and secret but my C# code doesn't. I have tried replacing the JSON content just with "{}" but it seems to be the authorisation failing before the server tries to process my message. This my code that creates the authorisation:

This is code that does the Hmac:

The GET and POST methods are identical and use common code apart from when set the content elements of the data to sign and obviously when we set the request message content.

Here is my actual code for the POST which uses the GET signature first then adds its own parms:

        var byteLength = new UTF8Encoding().GetBytes(jsonContent).Length;

        var dataToSign = MakeCommonSignedData(httpMethod, localPath, utcDate)
                         + "\n" +
                         $"content-type: {ContentTypeJson}\n" +
                         $"content-length: {byteLength}\n" +
                         jsonContent;

        var hmac = EncodeHmac256(dataToSign);

        return $"Signature keyId=\"{config.ApiKey}\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date content-type content-length\",signature=\"{hmac}\"";

Here is the logged data to sign:

(request-target): post /v2/cases
host: api-worldcheck.refinitiv.com
date: Sat, 11 Mar 2023 16:14:09 GMT
content-type: application/json
content-length: 295
{
  "note": null,
  "groupId": "5jb8a2z6imev1h93zc1zzooof",
  "entityType": "INDIVIDUAL",
  "caseId": "49db5529-b50c-4459-b1d3-ab52558eec58",
  "name": "Rob Kent",
  "nameTransposition": false,
  "providerTypes": [
    "WATCHLIST"
  ],
  "customFields": [],
  "secondaryFields": []
}

Signature keyId="XXXXXXXXXXXXXX",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="gbSDLGSAtfK8+fdvi9i56UduGGARVMLXpgRg8DNLLrs="

Here is my code that calls the above and sends the message:

        var utcNow = DateTime.UtcNow;

        var requestMessage = new HttpRequestMessage(new HttpMethod(httpMethod), url);

        var jsonContent = jsonBody == null ? "" : JsonObjectBase.Serialize(jsonBody);
        //var jsonContent = httpMethod == httpGet ? null : "{}";

        var authorisation = MakeAuthorisation(httpMethod, localPath, utcNow, jsonContent);

        requestMessage.Headers.Date = utcNow;
        requestMessage.Headers.Add("Authorization", authorisation);
        requestMessage.Headers.Add("Accept", ContentTypeJson);
        requestMessage.Headers.Add("Cache-Control", "no-cache");

        if (jsonContent.HasValue())
        {
            logger.Debug($"{httpMethod} JSON content:\r\n{jsonContent}");
            requestMessage.Content = new StringContent(jsonContent, Encoding.UTF8, ContentTypeJson);
        }

        return await SendRequestAndParseResponseString(requestMessage);

Apparently the HttpClient creates the content-type and content-length headers automagically when you create the body content in that way.

I may have code-blindness from looking at it too long so if anyone can see anything wrong, I would be most grateful.

#product worldcheck-one-api posting case

authorisecontent.png (356.7 KiB)

encodehmac.png (72.0 KiB)

Mar 11, 2023 at 04:45 PM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2023-03-13T11:29:09Z

rob.kent

21 ●0 ●3 ●4

This was a very obscure problem that was solved by the Refinitiv team who did a Teams session with me and spotted the issue after we captured the output in Fiddler.

The issue is that the Refinitiv C# sample uses the older HttpWebRequest class and I am using the HttpClient library. When you set the Content with HttpWebRequest, you do this:

WebReq.ContentType = "application/json";
WebReq.ContentLength = byte1.Length;
Stream newStream = WebReq.GetRequestStream();
newStream.Write(byte1, 0, byte1.Length);

So you have set the ContentType explicitly.

With HttpClient, you do this:

requestMessage.Content = new StringContent(jsonContent, Encoding.UTF8, "application/json);

This automagically produces a request header of:

Content-Type: application/json; charset=utf-8

This no longer matches what you put in your data to sign:

string dataToSign = "(request-target): post " + gatewayurl + "cases/screeningRequest\n" +
    "host: " + gatewayhost + "\n" +   // no https only the host name
    "date: " + date + "\n" +          // GMT date as a string
    "content-type: " + "application/json" + "\n" +
    "content-length: " + byte1.Length + "\n"+
    postData;

So to fix it you have to change your data to sign so that it matches the actual content header, as follows:

// The content-type line must match exactly what the HttpClient creates when you set the Content.
// This is different to the Refinitiv sample code which uses the old WebRequest not HttpClient.
 $"content-type: application/json; charset=utf-8\n" +
 $"content-length: {byteLength}\n" +
 jsonContent;

When your signed data matches exactly the specified headers, the authorization error should go away.

Mar 13, 2023 at 11:29 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rob.kent Mar 15, 2023 at 11:54 AM

Although the above fix worked, I later started getting a 415 error. The documentation says:

"For requests with payloads, an unsupported Content-Type was specified. The World-Check One API only supports a content type of application/json."

I don't know why this suddenly started happening but you can override the content headers after setting the content like this:

requestMessage.Content.Headers.ContentType = new MediaTypeHeaderValue(ContentTypeJson);

I then changed my signing code back to what it was originally:

$"content-type: {ContentTypeJson}\n" + 
$"content-length: {byteLength}\n" +
jsonContent;

Answer 2 · 2023-03-12T07:02:53Z

ssneha.balasubramanian

546 ●4 ●0 ●2

Hi @rob.kent.

I'm looking into your code for a possible cause of the error. I have also attached the sample code provided by World-Check for your reference - fsp-sdk-csharp.zip. Thank you.

Regards,

Ssneha Balasubramanian.

fsp-sdk-csharp.zip (10.9 KiB)

Mar 12, 2023 at 07:02 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rob.kent Mar 12, 2023 at 12:13 PM

Thank you. I have looked at that sample code and it is pretty much the same as the sample I got from this page https://developers.refinitiv.com/en/api-catalog/customer-and-third-party-screening/world-check-one-api/downloads

Not sure why but the above link refers to an older URL but the C# code is pretty much the same. It is a shame you don't have a sample that uses the more modern HttpClient library rather than WebRequest.

I took your sample code to create my own and as far as I can see they are the same but I might be missing something.

If you can see anything different/wrong with my code, I would be interested to know.

Thanks for your help!

refinitiv-csharp-page.png (83.5 KiB)

refinitiv-csharp.png (169.8 KiB)

rob.kent Mar 12, 2023 at 12:35 PM

I captured the request using Fiddler:

Here is the raw request:

POST https://api-worldcheck.refinitiv.com/v2/cases HTTP/1.1
Date: Sun, 12 Mar 2023 12:29:12 GMT
Authorization: Signature keyId="XXXXXXXXXXXXX",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="5cFUajFSdOgsAuMxdNJoIul84UihBuJdLv6GmMC6TNM="
Accept: application/json
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Host: api-worldcheck.refinitiv.com
Content-Length: 295
Connection: Keep-Alive

{
  "note": null,
  "groupId": "5jb8a2z6imev1h93zc1zzooof",
  "entityType": "INDIVIDUAL",
  "caseId": "e690b6c6-b962-4bd8-bda3-d7cb90f080d9",
  "name": "Rob Kent",
  "nameTransposition": false,
  "providerTypes": [
    "WATCHLIST"
  ],
  "customFields": [],
  "secondaryFields": []
}

Answer 3 · 2023-03-12T16:05:21Z

ssneha.balasubramanian

546 ●4 ●0 ●2

Hi @rob.kent.

Can you please send me a meeting invite tomorrow for a timeslot of your choice so we can connect regarding this? Thank you.

Regards,

Ssneha Balasubramanian.

Mar 12, 2023 at 04:05 PM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rob.kent Mar 12, 2023 at 07:38 PM

Thanks. Will find the best time when I am in the office tomorrow.

rob.kent Mar 13, 2023 at 09:12 AM

Could you send me an email and I will set up a meeting for 11 GMT. Thanks

Answer 4 · 2023-03-13T12:57:52Z

Mehran Khan

1.3k ●4 ●1 ●2

@rob.kent - I am marking this question as private as your API key im visible here.

Mar 13, 2023 at 12:57 PM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rob.kent Mar 13, 2023 at 12:59 PM

It is a test key but I would rather we masked the key rather than lose all that information.

Mehran Khan rob.kent Mar 13, 2023 at 01:06 PM

Sure, marking it back to public

rob.kent Mehran Khan Mar 13, 2023 at 01:07 PM

Thanks a lot!

Mehran Khan rob.kent Mar 13, 2023 at 01:02 PM

Yes, so no information would be lost, marking it private basically means it will only be visible to us and yourself and not the other users on the dev portal.

rob.kent rob.kent Mar 13, 2023 at 01:04 PM

I have removed the ids so please leave it as public. It is important that others with the same problem can find the question and solution. Thanks

Q&A Forum

question

401 Authorization error only with POST method to World Check API

4 Answers

Write an Answer

question

401 Authorization error only with POST method to World Check API

4 Answers

Write an Answer

Related Questions