Duo Auth API Missing request timestamp with Postman

Thomas_DeJesus · November 11, 2022, 6:13pm

I’m attempting to test the Auth API in postman but only ping is working. all other requests fail with the message: Missing request timestamp. found some good info here: https://community.duo.com/t/preauth-api-failing-but-check-and-ping-are-good/3125

but nothing related to this error. I’d like to use the API to manage prompts and enrollment. I can provide any additional info needed to resolve this.

DuoKristina · November 14, 2022, 4:07pm

How is your Postman prerequest script inserting the timestamp?

Here’s a good thread to read through: Preauth API failing but check and ping are good - #16 by Sushmita_Saha (ope I just realized it’s the same thread you linked).

Thomas_DeJesus · November 14, 2022, 5:53pm

Actually, I’m thinking I just do not understand the API usage at all. We use SimpleSAMLphp as our SAML IDP and we need a way to integrate Duo into it. The Web SDK seems difficult, so the API seemed like a good choice. check to see if enrolled, if not prompt them. my Pre-request script looks like this:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘Auth API Integration Key’;

var SECRET_KEY = ‘Auth API Secret Key’;

var AUTH_TYPE = ‘HMAC-SHA1’;

var moment = require(‘moment’)

//const moment= require(‘moment’);

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);

pm.environment.set(“timestampHeader”,timestamp);

//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0600”; /* Only for example */

//pm.environment.set(“timestampHeader”,timestamp);

var hostname = “YYY-XXXXXXXX.duosecurity.com”;

var apicall = “/auth/v2/auth”

var body = “username=root” //sample username

var requestData = timestamp+“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+body;

console.log(requestData);

var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);

console.log(hmacDigest);

var prebase = CLIENT_KEY+“:”+hmacDigest;

console.log(prebase);

var baseComplete = btoa(prebase);

console.log(baseComplete);

var authHeader = "Basic "+baseComplete;

return authHeader;

}

postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));

My response is always:

{
“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”
}

I’m not even certain Anything I am doing is correct here.

scottsalyer · November 15, 2022, 7:57pm

I was running into this same issue with the /auth/v2/check API call. It took a lot of fiddling, but the two things that solved it for me were:

Time zone offsets seem to cause problems. Changing mine to -0000 (since my date was set via DateTime.UtcNow C#) enabled the samples from Duo to work.
Make sure in the header of your API call you use the exact same date (including with the -0000). Additionally, Duo’s documentation said to call this parameter date, but their samples actually called it X-Duo-Date.

I spent a few hours trying to sort that out when their samples didn’t work out of the box, but after a lot of fiddling these two changes seem to take care of my issue with this same error.

Hope that helps!

Apoorva_Anne · April 24, 2023, 8:42pm

Hi Scott - Can you explain clearly how you achieved this, I am trying to use the same script but seeing the error
code": 40103,
“message”: “Invalid signature in request credentials”,
“stat”: "FAIL