Auth/v2/auth giving a 40103 but auth/v2/preauth working fine

afarist · December 15, 2020, 6:59pm

Hello,

I’m attempting to hit the auth/v2/auth route using parameters supplied from the preauth route.
Once I get device details I start a new call to /auth/v2/auth.

In all my calls to DUO I use my own Auth header generation logic, and this logic generates the correct Basic Auth header to make successful calls to /auth/v2/preauth, but for some reason when I’m attempting to hit the auth route it gives me this error:
{
“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”
}
The canonical string I’m generating for use in the HMAC looks like this for the auth route:

Tue, 15 Dec 2020 13:27:23 -0500
POST
■■■■■■■■■■■■■■■■■■■■■■■■■■■■
/auth/v2/auth
username=fake&factor=push&device=XXXXXXXXXXXXXXXXXXXX

And the endpoint I’m hitting ends up looking like this:
https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■/auth/v2/auth?username=fake&factor=push&device=XXXXXXXXXXXXXXXXXXXX

I’m still getting this error, and I’m failing to see why, despite getting a valid signature for preauth and following the documentation as necessary.

Any help would be great.

afarist · December 15, 2020, 7:45pm

I’m a fool.
I found the answer to my own problem.
The preauth call only has 1 parameter.
Because the auth call requires multiple parameters, they must be alphabetically sorted when generating the canonical string. This solved the issue completely.

cerdrifix · January 28, 2021, 10:47pm

It is not you to be fool, but who developed this method, not specifying it in documentation. Please, UPDATE THE DOCUMENTATION. I got mad with this issue.

Thank you very much afarist. You probably saved my weekend!

Tab_Berger · January 29, 2021, 4:11pm

I’m so happy to hear you were both able to find a solution to this error! I took a look at our documentation, and it seems like we may have this documented already in What are Duo’s API responses and error messages? in the Duo Knowledge Base.

“40103 Invalid signature in request credentials
EXPLANATION: The signature is formatted incorrectly.
RESOLUTION: Verify that the signature is encoded in hexadecimal ASCII; is using the correct HMAC-SHA1 signature as the password; lists parameters in alphabetical order.”

If you have any other suggestions or keywords we can use to make this knowledge more accessible to others in the future, please let us know and I’d be happy to take that feedback back to the team. Either way, I’m glad you were able to find a solution here on the Community based on @afarist 's response. Best of luck with everything!