API check works but Auth call does not in postman

API forum Auth API forum
#1

I extensively looked at various threads but does not help the problem I am facing. I am using the pre-request script (thanks to this community). Was able to get the /auth/v2/check API work properly.

Pre-Request Script in PostMan:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘MY_INTEGRATION_KEY’;

var SECRET_KEY = ‘MY_SECRET_KEY’;

var AUTH_TYPE = ‘HMAC-SHA1’;

var moment = require(‘moment’)

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);

pm.environment.set(“timestampHeader”,timestamp);

//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0000”; /* Only for example */

pm.environment.set(“timestampHeader”,timestamp);

var hostname = “{mypresetURL}.duosecurity.com”;

var apicall = “/auth/v2/check”

var body = “”;

var requestData = timestamp +“\n”+“GET”+“\n”+hostname+“\n”+apicall+“\n”+body;

console.log(requestData);

var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);

console.log(hmacDigest);

var prebase = CLIENT_KEY+“:”+hmacDigest;

console.log(prebase);

var baseComplete = btoa(prebase);

console.log(baseComplete);

var authHeader = "Basic "+baseComplete;

return authHeader;

}

postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));

Duo Response:
{
“response”: {
“time”: 1673984145
},
“stat”: “OK”
}

Now when I use the below script to post an Auth API call for a specific user, I get an error.
Pre-Request Script:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘MY_INTEGRATION_KEY’;

var SECRET_KEY = ‘MY_SECRET_KEY’;

var AUTH_TYPE = ‘HMAC-SHA1’;

var moment = require(‘moment’)

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);

pm.environment.set(“timestampHeader”,timestamp);

//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0000”; /* Only for example */

pm.environment.set(“timestampHeader”,timestamp);

var hostname = “{myURL}.duosecurity.com”;

var apicall = “/auth/v2/auth”;

var body = ‘{"username": "bbanner","factor": "push","async": "false"}’;

var requestData = timestamp +“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+body;

console.log(requestData);

var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);

console.log(hmacDigest);

var prebase = CLIENT_KEY+“:”+hmacDigest;

console.log(prebase);

var baseComplete = btoa(prebase);

console.log(baseComplete);

var authHeader = "Basic "+baseComplete;

return authHeader;

}

postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));

Duo response:
{
“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”
}

Thank you for your help in advance.

#2

I think the request data will change for the Auth POST API. Let me try that first and will update this post.

#3

Updated the request data for the Auth API POST. Still the same issue.

var requestData = timestamp +“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+ “factor=push&username=bbanner&”;

Postman console has this as the request String.

Tue, 17 Jan 2023 16:28:59 -0500
POST
■■■■■■■■■■■■■■■■■■■■■■■■■■■■
/auth/v2/auth
factor=push&username=bbanner

#4

Hi @Ravi_Akkiraju ,

Please note that the device parameter is required when using Push as the factor (Duo Auth API | Duo Security).

image
image830×195 16.1 KB

You might try the pre-request script from this post as it does not need to be modified when using POST instead of GET requests. It works when using:

var requestData =  timestamp+"\n"+httpMethod+"\n"+API_HOSTNAME+"\n"+api_call+"\n"+encoded_params;
console.log(requestData);

Then use POST https://1234abcd.duosecurity.com/auth/v2/auth?username=bbanner&factor=push&device=auto

Hope this helps!

#5

Hi @DuoPablo - I was sending the post data as JSON body instead of as parameters. Sending as params resolves it.

1 Like