Submit and vote on feature ideas.

Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.

Testing 3rd Party JSON app with security issues

callie97
callie97 Posts: 12

I was able to find the json docs and load them into SOATest. When I try to run a test script, I get authorization errors. I have set up and tried different HTTP Authentication types and it still gives me the 401 error. I've used Swagger to open the json docs and was finally able to get them to run after finding the little blue box to turn on for authentication. I'm using the same username and password in SOATest 9.10, using the same api. I've set the security to NTLM, as the response with the authentication error (in swagger) shows the www-authenticate using "Negotiate, NTLM". I've set global and parents and all the different security options I can find to NTLM, with the username and password that works in Swagger and I keep getting 401, Unauthorized.

Any ideas?

Comments

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭

    Make sure you know for certain what kind of authentication is required. If you are confident it is NTLM then you must configure the NTLM settings in the tests's HTTP Options tab under HTTP Authentication. If you need to specify a domain, prefix the username with the domain name and a backslash (as in DOMAIN\username). Otherwise, maybe you have a typo or the service isn't really using NTLM. Please also verify you are using SOAtest 9.9.4 or later which added full support for NTLMv2. Older versions of SOAtest only worked with NTLMv1 and some less secure NTLMv2 configurations.

  • OmarR
    OmarR Posts: 233 admin
    edited July 2017

    Hey Callie97,

    Are you able to perform api operations through the browser?
    If you navigate to the swagger docs in a browser, do you receive a successful response from the API when you send a request?

    If you run your test using Basic authentication instead of NTLM, do you receive the same error?

  • callie97
    callie97 Posts: 12

    I'm using SOATest 9.10. I can run the API in Swagger using the authoization switch and the curl shows --header "Authorization: Bearer .
    In SOATest, I get the same 401: Unauthorized error if I use Basic or NTLM. I've been using the domain\userid format since this is on a different domain from our normal setup. I have Authentication set up on the parent Test Suite using NTLM and this seems to go away and I have to keep putting it back. I've set this also on the api I'm testing so it doesn't have to go back up to the parent level in case it doesn't stick after the save.

  • callie97
    callie97 Posts: 12

    If I try running directly in a browser, I get a login pop up and after filling in the domain\userid and password, I get the 401 not authorized message. Swagger is encoding the userid and password and sending that in the curl after Authorization: Bearer. Didn't show up in my reply above.

  • callie97
    callie97 Posts: 12

    Looks like it is using OAuth Authentication.

  • OmarR
    OmarR Posts: 233 admin

    Hello Callie97,

    Thanks for the feedback! Since we are dealing with OAuth, we will need to make a set-up call to retrieve the access token from your service. We can chain a databank to your set-up client to extract and store the required token in a variable. You could then parameterize the variable in the HTTP header field for your subsequent calls.

  • callie97
    callie97 Posts: 12

    I've been trying to follow the steps in the 9.10 User guide under HTTP 1.0 and I'm getting very confused. Is there another doc that has more detail or a video of this?
    Is this something that will need to be set up for each API or once it is working for one this can be used for all of them?

  • callie97
    callie97 Posts: 12

    It's actually using OAuth2 and I'm trying to pull the data from Swagger as I get authorization errors if I try to access the api's directly. Any documents on getting OAuth2 from swagger?

  • OmarR
    OmarR Posts: 233 admin
    edited July 2017

    I assume that you are generating your clients from swagger?

    The steps required to implement OAuth2 is slightly easier and should be provided in the Userguide under "Using OAuth 2.0". Admittedly, the steps provided in the userguide don't go into much detail about implementation, but once you have the initial test set up to retrieve the token, the same token will work for the subsequent clients. Try following the steps provided under "Using OAuth 2.0" and let us know if there is any specific step you are having trouble with.

  • callie97
    callie97 Posts: 12

    Got through the first step 'Request Authorization'. Since I am getting this from Swagger, the access_token and such are coming back in the HTTP Traffic from the Authorize step. Since it is the Traffic viewer, I'm going to have to capture the values using a different method than the Text Data Bank as I don't have a Request > Validate Header. The data is in the Response from Traffic. Not able to find the right tool to extract this data.

  • OmarR
    OmarR Posts: 233 admin
    edited July 2017

    You can still use the text databank or even a json or xml databank depending on the response payload. Ensure that you chain the databank as the output to the "Body" of the response. For example:

    This should populate your databank at runtime and allow you to extract the desired token.

  • callie97
    callie97 Posts: 12

    I got the text data bank set and now creating the REST Client. It is looking for the URL that has all the parameters. Do I need to merge the URL I used for the text bank with the Text Content of the Text Data Bank?
    I added the output to the test script step where I do the Authorize in swagger as that is the step that has the token in the HTTP Traffic Viewer.
    Steps I've taken
    Add New Test > REST Client
    Service Definition: None
    Method: Fixed GET
    URL: Fixed > ?????

  • OmarR
    OmarR Posts: 233 admin

    Now that you've extracted the authorization code from your service, you can parameterize the variable in your REST client URL to get the access token:

  • callie97
    callie97 Posts: 12

    The authorization code does not come back in any URL that I can put in the REST Client.
    Here is the Traffic Viewer from the Text Data Bank

    Here is the what I get in the Text Data Bank

    I had to get the authorization code out of Swagger and it didn't give me back the redirected callback URL from the Service Provider. I can only see the token in the Traffic Viewer and would like a way to grab this and not cut and paste it into a data source. These codes expire and we need to send it the token and the refresh code and a couple of other pieces to be able to run the API's.

  • OmarR
    OmarR Posts: 233 admin
    edited July 2017

    Since the token is being returned in a json payload, I would recommend using a json databank instead. Lets try this again....

    1) Add output

    2) Select Http traffic

    3) Select the appropriate browser request, for example:
    https://forumn.parasoft.com/parasoftAPI/token

    4) Select Response>Body and choose JSON databank

    5) Run the webscenario so that your json databank is populated.

    6) Once the JSON databank is populated, double-click the "access_token" to extract and store the value into a column name.

    7) The column name above will be used in your subsequent tests.

  • callie97
    callie97 Posts: 12

    Thank you so much for sticking with this issue. I am now able to get the codes out of the system.

  • sansachie
    sansachie Posts: 26

    Hi All,
    I tried the above steps to generate access token but i could not figure out why web browser playback was talked about. we are using OAuth 2.0 i have below data:
    AuthURL/AccessTokenURL
    client ID
    ClientSecret
    Scope
    GrantType
    payloadFormat: URL encoded

    with above data can someone let me know how i can generate access token in SOATest ?? i could easily generate one in POSTMAN with above data.

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭
    edited February 2018

    i could not figure out why web browser playback was talked about

    Often times a web page is used to provide a login form to exchange a request token for a verification code. The docs have some explanation and examples for both OAuth 1 and OAuth 2. See Using OAuth Authentication.

    payloadFormat: URL encoded

    Look at the heading "Obtain access token" in the section of the docs I referenced above. To post URL Encoded payload you can simply use the REST Client. On the Resource tab, select POST in the Method box and the desired URL. On the Payload tab, select URL Encoded in the Payload Format box. Under Input Mode, select Table. This table will let you add any parameters you require.

  • sansachie
    sansachie Posts: 26

    Hi @benken_parasoft , I have followed your steps and i have passed the data as below
    in Resource Tab, i have given URL and method as POST and did not pass any query parameter
    in Payload Tab, i have selected
    Payload Format : URL Encoded
    Content Type : application/x-www-form-urlencoded
    Input mode : Table and have passed client_id,client_secret,scope,grant_type along with their values.
    in HTTP options : HTTP headers as Content-Type and its value- application/x-www-form-urlencoded.

    I am getting blank response and in the error section i am seeing "OAuth parameters must either be 'scope' or start with 'oauth_'
    "
    Not where i am going wrong. Any clue?

  • sansachie
    sansachie Posts: 26

    URL i am sending is like https://website.com/as/token.oauth2

  • benken_parasoft
    benken_parasoft Posts: 1,228 ✭✭✭
    edited February 2018

    You seem to be describing an error that came back in a response from your oauth service. You are probably sending the wrong parameters or misconfigured your URL Encoded payload in some way. It might be helpful to review what you are sending with SOAtest vs what your other clients are sending so you can identify what's different or misconfigured.

    As a reference, section 4 of rfc6749 of the OAuth 2 spec describes the different kinds of token requests, which varies depending on the grant type. I'm not sure which of them you need offhand but I thought I'd point you here for reference: https://tools.ietf.org/html/rfc6749#section-4