how can i get more info from 401 unauthorized response?

meirr
meirr Newcomer
in World-Check One

Hello, im trying to connect to the WC1 API, and im getting 401. how can i know where is the problem.

here is my header from last request:

{'Date': 'Sun, 03 Mar 2019 14:53:44', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature=b\'S5wGW9KgVsrOF8tIluOo4YkFUDFLChZNGQInW8y17Og=\''}

and here is the response headers:

{'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Sun, 03 Mar 2019 14:53:43 GMT', 'Server': '""'}

Tagged:

Best Answer

Answers

  • Mehran.Ahmed Khan
    Mehran.Ahmed Khan LSEG

    Hi @meirr ,

    401 errors occur because the request has failed an authorization check. This can happen for a variety of reasons, such as

    a) An invalid or expired API key,

    b)An invalid HMAC signature.

    c) Request timing issue/problem with the Date header value. The API client should ensure a correctly synchronized clock is used to generate request timestamps.

    d)Incorrect JSON payload formation at the customer’s end that can cause them to observe 401 response.

    From your request & response headers, I see that your response time is earlier than your request time, ensure that the date header value that you are sending is in sync with the NTP or the GMT clock for the API call to succeed.

    API messages are validated by timestamps, to help guard against replay attacks. Messages are only considered valid if they are processed at the point in time corresponding to their Date request header. A small buffer is used in this calculation to allow for minor clock drifts, discrepancies between client and server clocks, and data transfer round trip times. It is advised that when integrating with the World-Check One API, the machines involved in API communication are properly time synchronised via NTP to help prevent any message validity issues.

  • meirr
    meirr Newcomer

    thank you for your answer,

    it seems like i tried everything and i still get 401.

    im trying to check if a caseId exists

    here is my headers:

    {'Date': 'Mon, 04. Mar 2019 10:29:01 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="yzYrvNTKV5ldDhiOLw1+glELuTro9RUYXE+Dmz2JWP8='}

    and here are the response headers:

    {'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 10:29:02 GMT', 'Server': '""'}

  • Mehran.Ahmed Khan
    Mehran.Ahmed Khan LSEG

    @meirr

    Can you provide me the complete request and response so that I can investigate this in detail?

    Regards,

    Mehran Khan

  • meirr
    meirr Newcomer

    Below are the request & response


    REQUEST:

    Header: {'Date': 'Mon, 04. Mar 2019 10:37:56 GMT',
    'Authorization': 'Signature
    keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target)
    host date",signature="dMdbcN7zXHvLaH+zuR5RmerfT8vUaSjwQUiqkCe/R5k="'}

    Params: {“caseId”:
    "ae59c753-c6f3-4d02-97fd-64d6b9356944" }

    URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

    Method: HEAD

    RESPONSE:

    Headers: {'X-Application-Context': 'application',
    'Authorization': 'WWW-Authenticate: Signature realm="World-Check One
    API",algorithm="hmac-sha256",headers="(request-target) host
    date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar
    2019 11:04:30 GMT', 'Server': '""'}

    Response code:401

  • Mehran.Ahmed Khan
    Mehran.Ahmed Khan LSEG

    @meirr

    The difference between the requested time and API clock time shouldn’t be >30 seconds. When it’s more than 30 seconds you get a 401. As you can see from your request and response the difference is almost 27 minutes that is the reason why you're seeing a 401, kindly ensure that that the date time value that you're sending is in sync with the NTP or the GMT clock for the API call to succeed.

  • meirr
    meirr Newcomer

    Apologizes: My mistake here is the new transaction I just made

    the difference between send & receive is 3 sec

    REQUEST:

    {'Date': 'Mon, 04. Mar
    2019 11:41:46 GMT', 'Authorization': 'Signature
    keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target)
    host date",signature="uRI4YC4yRzIeznKmzJYFIYy6Dc8Ffhe4p8/azId6CNI="'}

    Params: {“caseId”: "ae59c753-c6f3-4d02-97fd-64d6b9356944"
    }

    URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

    Method: HEAD

    RESPONSE:

    Headers: {'X-Application-Context': 'application',
    'Authorization': 'WWW-Authenticate: Signature realm="World-Check One
    API",algorithm="hmac-sha256",headers="(request-target) host
    date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar
    2019 11:41:49 GMT', 'Server': '""'}

    Code: 401

  • Mehran.Ahmed Khan
    Mehran.Ahmed Khan LSEG
    caseidavailablity.png
  • Mehran.Ahmed Khan
    Mehran.Ahmed Khan LSEG

    @meirr

    I tried replicating the issue using your keys i was able to successfully fire the API

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    HEAD /v1/caseIdentifiers Date: Mon, 04 Mar 2019 12:15:51 GMT Authorization: Signature keyId="2f392296-1ddc-4568-a73c-0d06ace*****",algorithm="hmac-sha256",headers="(request-target) host date",signature="bVsDWVeI2b2MuafRQapgTf0xKhKfw1x7t7LUTz8weqM=" cache-control: no-cache Postman-Token: ab3ab0d7-d895-4ac7-b0a2-0c89e22ec94f User-Agent: PostmanRuntime/7.6.0 Accept: */* Host: rms-world-check-one-api-pilot.thomsonreuters.com accept-encoding: gzip, deflate content-length:

    HTTP/1.1 200 status: 200 X-Application-Context: application Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Date: Mon, 04 Mar 2019 12:15:50 GMT Content-Length: 0 Server: ""

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    I would suggest you to recheck the credentials being passed and also delete the existing postman collection and re import the same and try.

    Let me know your findings.

    Regards,

    Mehran Khan

  • meirr
    meirr Newcomer

    hi, postman is working on my side also, thats not the problem.

    im having problems in my python app.

    maybe do you have code examples for python or even php? the only problem that i can think about is incorrect signature..

Categories