For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
16 0 0 2

Missing www-authenticate header when receiving 401 responses.

Hello,

As per section 4.1 of RFC-7235, when an HTTP server returns a 401 response, it must also return a WWW-Authenticate header :

A server generating a 401 (Unauthorized) response MUST send a 
WWW-Authenticate header field containing at least one challenge.


However, when the refinitiv server returns 401, it returns the following header :

Authorization: WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length"


This is indeed an "Authorization" header, not a WWW-Authenticate, and it cannot be used to extract the signature challenge in a clean generic way.

As long as this header is returned (in place of "WWW-Authenticate"), the only way of generating a valid Authorization header on the client side is to use preemptive authorization.

This might be fine for code crafted especially to access the refinitiv server, but it won't work for generic code (gateways and/or proxies, etc...). For instance, we use a gateway that handles all authorization computing for different providers, and it cannot process refinitiv queries because of this issue.

Are you aware of this issue, and do you plan to fix this at some point ?

Thanks in advance.

world-checkworld-check-oneauthenticationerror-401
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
4.2k 8 5 6

@parabellum

Please allow us some time to get back with response on this.


In the mean time, can you please elaborate "This is indeed an "Authorization" header, not a WWW-Authenticate, and it cannot be used to extract the signature challenge in a clean generic way. "

Thanks.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
16 0 0 2

Thank you for your response.


I wrote that it is indeed an Authorization header because the header received starts with the string "Authorization:", instead of "WWW-Authenticate:".

Authorization: WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length" 


The server should have sent this string instead :

WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length" 

This last example tells the client that it should authenticate to the server using a Signature (along with the expected parameters).

This is what is defined in the HTTP Authentication specifications ( https://tools.ietf.org/html/rfc7235#section-4.1 ).


Also, I believe there is another compliance problem regarding the signature string construction ( https://tools.ietf.org/id/draft-cavage-http-signatures-12.html#rfc.section.2.3 ) :
for POST queries, you expect the payload to be appended to the message being signed ; but this fact does not appear in the "headers" parameter returned by the server (it only contains "(request-target) host date content-type content-length").
But this should go in another ticket I guess ;)

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvote
16 0 0 2

Another error I noticed, is that when replying with 401 to a GET request, refinitiv does not return the expected "headers" value.

we get :

headers="(request-target) host date content-type content-length" 

whereas (since it's a GET query), it should be :

headers="(request-target) host date" 

Attached is a copy of postman's console for the faulty exchange...


This according signature authentication scheme is specified in RFC7235 ( https://tools.ietf.org/id/draft-cavage-http-signatures-12.html )


icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
4.2k 8 5 6

@parabellum

I am still trying to get the answer from the dev team. Please allow me some time so that I can get back with updates on this.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
1 0 0 0

@Irfan.Khan I have same issue as @parabellum.

> Another error I noticed, is that when replying with 401 to a GET request, refinitiv does not return the expected "headers" value.

I also found that the expected headers for signature differs by API, regardless of request method.

For example, according to Postman Collection's Pre-request Script,

SEQ-screen-async: Screen a case (POST /cases/caseSystemId/screeningRequest) expects only

headers="(request-target) host date"

, while other POST API such as SEQ-screen-sync-simple: Perform Synchronous Screening: Simple (POST /cases/screeningRequest), expects

headers="(request-target) host date content-type content-length"

It's hard to distinguish which of headers list we need to use for the particular API.

Is there any rules? How can we decide which of headers list should be used for the particular API?

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
1 1 2 2

Dear, did you have a solution to your problem?, I think I present the same and I can't solve it.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
1 0 0 0

I believe i have the same error . although the headers that work for Linux do not from a windows box. Hope this gets more responses. I've addded/ removed every possible headed from the successful postman hits

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.