Skip to main content

We have an API that is currently working with an basic authentication. 

(The call for this API is written in Visual studio (vb.net to be precise)

 

  Using ApiClient As New HttpClient()

     Dim URI As Uri = New Uri(RequestURL)

     Dim MessageContent As HttpContent

     Dim AuthenticationString As String = $"{ApiUserName}:{ApiPassword}"

    Dim EncodedAuthenticationString As String =       Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes(AuthenticationString))

    ApiClient.DefaultRequestHeaders.Authorization = New        AuthenticationHeaderValue("Basic", EncodedAuthenticationString)

        Dim response As HttpResponseMessage = Await ApiClient.GetAsync(URI)

    MessageContent = response.Content

    Return Await MessageContent.ReadAsStringAsync()

  End Using

 

This is working and I can retrieve data.

 

I have written code before that talked to an API, using a httpclient class that uses an azure secret key, passed along in the http Request header. I thought I could reuse this way of authenticating, since basic authentication is something I'd rather not use.

 

  Using ApiClient As New HttpClient()

     Dim URI As Uri = New Uri(RequestURL)

     Dim MessageContent As HttpContent

     ApiClient.DefaultRequestHeaders.Add("x-api-key", ApiKey)
     Dim response As HttpResponseMessage = Await ApiClient.GetAsync(URI)

    MessageContent = response.Content

    Return Await MessageContent.ReadAsStringAsync()

  End Using

 

In the thinkwise IAM we have entered a Personal Access Token, of which I assume that it is the equivalent of an azure secret key. (configuring it looks very much the same with having to write it down or losing it forever)

the key is then something along the lines of 

IND-someGUIDcode.

 

Using this code as the api key in the code above does however not work, and the code returns the following data when doing the api call: 

 

<script nonce="D30D15BD69">
window.location.replace("OURhomeURL/account/ui/login?returnurl=APIcallUrl");
</script>

(urls changed for securitiy reasons)

 

Now the questions are: 

  1. is this due to a wrong setup of the PAT?
  2. can we treat the  PAT as an azure secret key?
  3. Has anyone coded against this from a visual studio environment? (vb.net, C#) and if so, what did you do?

 

Indicium expects personal access tokens created for Thinkwise applications or Indicium itself to be passed as a bearer token when authenticating.

So modifying your first example with something like this:

Dim AppPAT As String = "IND-<rest of your pat token etc.>"

ApiClient.DefaultRequestHeaders.Authorization = New AuthenticationHeaderValue("Bearer", AppPAT)

Should make it work. No need to encode the value into base64 like when using Basic authentication etc.

Note: Hard coding the token like I just did above to give an example is obviously not a good idea. Like with any authentication values remember to store/pass around your PAT values in a more secure way.

 

Thanks for the pointers. 

 

I tried that, which resulted in a 403-Forbidden message, so will have to check further on the token itself.

Hello ​@s.vermeulen,

The 403 response indicates that authentication was successful, but the PAT token lacks the required permissions to perform the requested operation.

Have you managed to solve this problem meanwhile, or do you need more assistance?

Reply


Terms & ConditionsCookie settings