search cancel

Auth failure when POSTing Oauth Access token using API read only mode

book

Article ID: 228012

calendar_today

Updated On:

Products

Secure Access Cloud

Issue/Introduction

API client created with read only access to the management API

All requests from this API client regardless of the destination URL except GET will be unauthorized with 401 error code and not being logged

Sample steps used to reproduce issue:

1. generate request to oauth token endpoint and get an access token returned

$ curl -k -X POST -H "Authorization: Basic NTUyZTg3YzI0ZjMyNTdhOTVjMWQyNWUzY2JiNDg4MGU6OTE4YTUzNzI1ZTJlYTQ5ODAxYzQzNTI0OGU5MzU5NTM3ODc0YjQ5OTc3YjYwMTM3NWJmNDQ1xxxxx==" https://api.symcncashell2.luminatesite.com/v1/oauth/token

{"access_token":"333a17a7-2b3f-4687-81bc-3e11dd7d583d","expires_in":3600,"scope":"email profile","token_type":"bearer"}

 

2. Use this access token with POST method to access Application, and see the 401 status response

$ curl -k -X POST -H "lum-api-token: 333a17a7-2b3f-4687-81bc-3e11dd7d583d" https://LuninateMgmtRO.symcncashell2.luminatesite.com/                                      

< HTTP/1.1 401 Unauthorized
< Date: Wed, 10 Nov 2021 10:15:51 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000
<

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Luminate Security | Error</title>
 

Cause

Read only APIs require the GET method; POST methods are typically used to write data to the back end application, which does not work with a read only resource.

Even thought the backend APplication is not readonly and should be able to handle POST requests, we cannot use a RO API client to front this.

Resolution

Make sure that the GET method is used for any read only API client

$ curl -vvv -k -X GET -H "lum-api-token: f1d2afe9-28b1-4203-b8f4-0e16c980d776"  https://LuninateMgmtRO.symcncashell2.luminatesite.com/

> GET / HTTP/1.1
> Host: LuninateMgmtRO.symcncashell2.luminatesite.com
> User-Agent: curl/7.74.0
> Accept: */*
> lum-api-token: f1d2afe9-28b1-4203-b8f4-0e16c980d776

< HTTP/1.1 200 Success
< Date: Wed, 10 Nov 2021 10:17:02 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000

 

If back end Application must handle POST requests, create a non read only API client on Secure Access Cloud Portal and use that one instead. 

Additional Information

Documentation not clear on this requirement and will be updated to highlight this.