Getting 401 Unauthorized for Post requests using Azure API management tool to access World-Check ...

...One API with Pilot account

Hello,

I was looking into testing our access by generating a simple request to the Pilot environment, using a POST request to the “/cases” relative path (api-worldcheck.refinitiv.com/v2/cases ) and was getting a response back with the unauthorized 401 error. I transformed JS code from pre-request script from your postman collection into C# (sending script attached, and request body). Just FYI all Get requests work fine both from postman and azure apim, issue only for Post ones. Post requests also work from postman.

Please let me know if any other info is needed.

Thanks,
Oleksii

Find more posts tagged with

world-check-one

error-401

Accepted answers

All comments

judith.pillado.lseg

Hello @oleksii.kukharenko, thank you for reaching out to us! Could you also provide the request and response headers please? You can mask the API keys since that is sensitive information, but we need to verify that there is no issue with the dateTime value on both request and response headers.

Thanks,

Judith

oleksii.kukharenko

Hello @judith.pillado.lseg .

Please see request/response logs attached. request_response_log.txt

Thanks,
Oleksii

judith.pillado.lseg

@oleksii.kukharenko - thank you for providing this! I will investigate further and will get back to you when I have an update. In the meanwhile, here are some things that I would like for you to verify on your end:

Make sure that the date header value that you are sending is in sync with the NTP or GMT clock. The difference with the API clock should not be greater than 30 seconds. If it is more than 30 seconds, you will get a 401 error.
Check/calculate the content length in the request and omit any extra spaces. Since you received a successful response via Postman, your code's authorization headers and content length should match that of Postman's.
The Authorization header should be in the following format: 'Authorization: "Signature
keyId="XXX{{API-KEY}}XXXXXX",algorithm="hmac-sha256",headers="(request-target)
host date signature="yqVUfwBr/G7KsDAw6xeNGX6u1hMDiNvp3y9sK5P6BKU="'
However, I noticed that your authorization header includes content-type and the content-length after the date and before the signature. Have you tried removing content-type and content-length? If not, please do so and let me know the outcome.
Kindly look at the attached World-Check One API HMAC Walkthrough July 2022.pdf a teammate wrote for the benefit of our users. I hope it is helpful.

Blessings,
Judith

oleksii.kukharenko

Hi @judith.pillado.lseg. Thank you for the response!

Just a quick update on the points you listed:

I'm pretty confident in calculating the date header value, as I just reused the same as for Get type requests, which works without any trouble.
Regarding Content-Length it's a point to investigate from my side. Indeed the calculated numbers are different in postman and apim (or any other text editor). Will figure that out.
As I noticed authorization header should include content-type and the content-length specifically for Post requests (for Get ones they are not included). These ones also included in pre-requests script in postman collection you provided. And without them, requests give 401 in postman as well (with them it's 200).
Sorry, seems I don't have access to the file you linked. Is it possible to check if access can be granted to my account?

Thanks,

Oleksii

judith.pillado.lseg

Hello @oleksii.kukharenko - I hope you are doing well. Were you able to investigate the content-length further (point 2)?
After speaking with my teammates, they provided the following sample code: post request c sharp.txt (I will also email it to you in case you cannot view it/open it.) Please note that you will have to provide your API key on the string apikey, your API secret on the string apisecret, and your group Id on the groupId. My teammates also provided me with get request c sharp.txt in case you need it. Please let me know if you have any further questions.

Blessings,

Judith

oleksii.kukharenko

Hi Judith,

Sorry for it taking so long to respond. I investigated the point regarding content length, using the pdf document you shared with me I was able to remove all excess characters from the request body, so it is equal to one from Postman, but still got 401 response. Next I figured out that the azure system that I use for API design adds its own characters (extra escape characters and \r) at the step of initialization "dataToSign" variable, which is an argument to generate hmac. So I suspect this is the root cause of the problem. Tried to use Regex.Replace() method, but with no success so far. As soon I am able to fix this, will let you know if 401 response is resolved.

Really appreciate your support with this issue.

Thanks,

Oleksii

EXPLORE OUR SITES