API Help with Bash Script

Howdy All,

First let me admit my ignorance with APIs, and assume that I know nothing.

#!/bin/bash -u

FORM=“Content-Type: application/x-www-form-urlencoded”
NOW=$(date -R)

#get these from the Duo Admin interface
INT=“obfuscated integration key from admin page”
KEY=“obfuscated secret key from admin page”
API=“■■■■■■■■■■■■■■■■■■■■■■■

URL="/auth/v2/check"
#URL="/admin/v1/users"
REQ="$NOW\nGET\n$API\n$URL\n"

#could also use awk here, or the --binary mode as suggested elsewhere
HMAC=$(echo -n “$REQ” | openssl sha1 -hmac “$KEY” | cut -d" " -f 2)

AUTH=$(echo -n “$INT:$HMAC” | base64 -w0)

curl -s -H “Date: $NOW” -H $FORM -H “Authorization: Basic $AUTH” https://$API$URL

gives me this error:
{“code”: 40301, “message”: “Access forbidden”, “message_detail”: “Wrong integration type for this API.”, “stat”: “FAIL”}

If i change it to the “admin” url i get this error
{“code”: 40103, “message”: “Invalid signature in request credentials”, “stat”: “FAIL”}

Basically i want to pull a user l list via the API, but i can’t even get past the authentication piece.

Any help here is much appreciated.

Hello,

I cannot vouch for the code, but you have to use the integration keys for Auth API application in the Duo console when using the auth/vs/check. it sound like you might have just the admin API defined.

Adding our Rep Taylor so she can see.

I have both the Admin and the Auth API keys.

Just need some help on making the HMAC SH1 string and then basic authentication.

i.e. It would be nice to this broken into more steps

https://duo.com/docs/authapi#api-details

Have you found the answer to this? I am getting the same thing and have followed the documentation.

Maybe try not concatenating the request with that newline character?

Like instead of:

REQ="$NOW\nGET\n$API\n$URL\n"

Try:

REQ="$NOW
GET
$API
$URL
"

When I try what you have posted here I get actual \n in the request (I am on a Mac though right now).

ETA: I saw a StackOverflow post tagged with Linux and bash where someone noted that \n was inserting whitespace, which would also throw off the signature.

1 Like

It did not work for me.ANyone had any shell script that worked for the Duo Admin API

I haven’t got it working with Bash either. But I did have someone get it working in Python, but I can’t use that.

The support shown for this kind of stuff here is…

They provide some simple PoC code based on unit tests and from there on, you’re on your own. No functional-ready-to-copy-paste code that you can use.

I managed to build a wrapper shell script against the nodejs module they provide, so I have, so far (I’m just adding commands as we need them):

Anyway it should be easy (I think) too for python wrapping a shell script against this basic command structure:

python -m duo_client.client --ikey nnn --skey nnn --host nnn --path /admin/blah/blah limit=200 --method GET/POST/DELETE

(I don’t know how you specify the parameters there sorry, maybe just in the way the “limit” is specified above).

Regards.