APIKey usage - Unauthorized response

lai · April 24, 2017, 12:05pm

Hi Mythz,

I’m trying to wrap my head around authorisation using an ApiKey/Jwt following the documentation online.

I have a Service Stack service that I want to get access to from one of our websites both of which are currently running in IISExpress in development.

This is the code that I’m calling from our website to access the Service Stack Service.

    var apiKey = "{from the apikey table}";
    var url = ConfigurationManager.AppSettings.Get(AppSettingConstants.ServiceStack.ServiceStackUrl);

    var authClient = new JsonServiceClient(url)
    {
        Credentials = new NetworkCredential(apiKey, "")
    };

    var jwtToken = authClient.Send(new Authenticate()).BearerToken;

Calling this however I keep getting an 401 Unauthorised response. Is there anything else I need to do to get this to work? I’ve tried running this with postman and get the 401 Unauthorized, with the following

Access-Control-Allow-Headers →Content-Type
Access-Control-Allow-Methods →GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin →*
Cache-Control →private
Content-Length →0
Date →Mon, 24 Apr 2017 14:38:07 GMT
Server →Microsoft-IIS/10.0
Vary →Accept
WWW-Authenticate →jwt realm="/auth/jwt"
X-AspNet-Version →4.0.30319
X-Powered-By →ServiceStack/4.58 Win32NT/.NET, ASP.NET
X-SourceFiles →=?UTF-8?B?QzpcRGV2XGFtYXpvblxyZW50YXByaXNlXFJlbnRhcHJpc2VcUmVudGFwcmlzZVxhdXRoZW50aWNhdGU=?=
X-Startup-Errors →1

This is the Service Stack Service configuration

        Plugins.Add(new AuthFeature(() => SessionFactory(), new IAuthProvider[]
        {
            new JwtAuthProvider(AppSettings) {AuthKeyBase64 = ConfigurationManager.AppSettings.Get(AppSettingConstants.ServiceStack.Jwt)},
new ApiKeyAuthProvider(AppSettings)
            new CredentialsAuthProvider(),        //HTML Form post of UserName/Password credentials
            new BasicAuthProvider(),                    //Sign-in with HTTP Basic Auth
           
        }));

mythz · April 24, 2017, 3:08pm

You should be able to access a JWT Token using an API Key. The HTTP Headers suggests you have an Exception on Startup which is likely causing an incomplete registration.

Add ?debug=requestinfo in your /pathinfo in DebugMode and ServiceStack will return a dump of all the HTTP Request parameters including info on your Startup error.

lai · April 24, 2017, 5:11pm

Hi,
I have resolved the error, but still getting 401 unauthorised.
Can you suggest other things I may need to check? I can access other service methods like register etc but not authenticate.

mythz · April 24, 2017, 5:31pm

nothing stands out from the Auth Configuration provided other than the compile-time error of ApiKeyAuthProvider not having a , suffix:

new ApiKeyAuthProvider(AppSettings)

Is your Auth Repository correctly configured? and the API Key refers to a valid user in your Auth Repo?

Can you change your authClient to:

var authClient = new JsonServiceClient(url) {
    BearerToken = apiKey    
};

Or move new ApiKeyAuthProvider(AppSettings) registration to be the first IAuthProvider registered.

Otherwise if it doesn’t help can you provide the full HTTP Request and Response Headers when calling the Service using the JsonServiceClient using something like Fiddler or WireShark.

lai · April 24, 2017, 10:44pm

Thanks for the suggestions, it turns out that it was due to the ordering.

When initializing IAuthProvider to register JwtAuthProvider and the ApiKeyProvider the ApiKeyProvider has to be the first entered otherwise you will end up with the 401!