API check works but Auth call does not in postman

I extensively looked at various threads but does not help the problem I am facing. I am using the pre-request script (thanks to this community). Was able to get the /auth/v2/check API work properly.

Pre-Request Script in PostMan:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘MY_INTEGRATION_KEY’;

var SECRET_KEY = ‘MY_SECRET_KEY’;

var AUTH_TYPE = ‘HMAC-SHA1’;

var moment = require(‘moment’)

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);

pm.environment.set(“timestampHeader”,timestamp);

//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0000”; /* Only for example */

pm.environment.set(“timestampHeader”,timestamp);

var hostname = “{mypresetURL}.duosecurity.com”;

var apicall = “/auth/v2/check”

var body = “”;

var requestData = timestamp +“\n”+“GET”+“\n”+hostname+“\n”+apicall+“\n”+body;

console.log(requestData);

var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);

console.log(hmacDigest);

var prebase = CLIENT_KEY+“:”+hmacDigest;

console.log(prebase);

var baseComplete = btoa(prebase);

console.log(baseComplete);

var authHeader = "Basic "+baseComplete;

return authHeader;

}

postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));


Duo Response:
{
“response”: {
“time”: 1673984145
},
“stat”: “OK”
}

Now when I use the below script to post an Auth API call for a specific user, I get an error.
Pre-Request Script:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘MY_INTEGRATION_KEY’;

var SECRET_KEY = ‘MY_SECRET_KEY’;

var AUTH_TYPE = ‘HMAC-SHA1’;

var moment = require(‘moment’)

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);

pm.environment.set(“timestampHeader”,timestamp);

//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0000”; /* Only for example */

pm.environment.set(“timestampHeader”,timestamp);

var hostname = “{myURL}.duosecurity.com”;

var apicall = “/auth/v2/auth”;

var body = ‘{"username": "bbanner","factor": "push","async": "false"}’;

var requestData = timestamp +“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+body;

console.log(requestData);

var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);

console.log(hmacDigest);

var prebase = CLIENT_KEY+“:”+hmacDigest;

console.log(prebase);

var baseComplete = btoa(prebase);

console.log(baseComplete);

var authHeader = "Basic "+baseComplete;

return authHeader;

}

postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));

Duo response:
{
“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”
}

Thank you for your help in advance.

I think the request data will change for the Auth POST API. Let me try that first and will update this post.

Updated the request data for the Auth API POST. Still the same issue.

var requestData = timestamp +“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+ “factor=push&username=bbanner&”;

Postman console has this as the request String.

Tue, 17 Jan 2023 16:28:59 -0500
POST
■■■■■■■■■■■■■■■■■■■■■■■■■■■■
/auth/v2/auth
factor=push&username=bbanner

Hi @Ravi_Akkiraju ,

Please note that the device parameter is required when using Push as the factor (Duo Auth API | Duo Security).

You might try the pre-request script from this post as it does not need to be modified when using POST instead of GET requests. It works when using:

var requestData =  timestamp+"\n"+httpMethod+"\n"+API_HOSTNAME+"\n"+api_call+"\n"+encoded_params;
console.log(requestData);

Then use POST https://1234abcd.duosecurity.com/auth/v2/auth?username=bbanner&factor=push&device=auto

Hope this helps!

Hi @DuoPablo - I was sending the post data as JSON body instead of as parameters. Sending as params resolves it.

1 Like