https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881601#M374 <DIV class="duo-migrated-content"><P>Because if its the sample code (“sign” function) that is incorrect then this would explain why this isn’t working for me in my production instance also…</P></DIV> Tue, 22 Jan 2019 15:56:45 GMT Vince4 2019-01-22T15:56:45Z https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881598#M371 <DIV class="duo-migrated-content"><P>I am trying to use the Admin API.<BR /> I’m being told my Authorization signature is invalid with a HTTP 401 response code (“Invalid signature in request credentials” - 40103 to be precise).</P> <P>The trouble is I’m following the guidance in the documentation here: <A href="https://duo.com/docs/adminapi#authentication" class="inline-onebox" rel="nofollow noopener">Duo Admin API | Duo Security</A><BR /> … including using the same signing function, and the same sample data - but not getting the same signature back!</P> <P>Is there anyone out there who’s got this working, and who can advise what I’m doing wrong?</P> <P>Here’s my sample Python code - this doesn’t touch the API, but just calculates the Authorization signature based on the values in the example:</P> <PRE><CODE>###################################################### import base64 from email import utils import hmac import hashlib import urllib import logging import sys import os log = logging.getLogger(__name__) out_hdlr = logging.StreamHandler(sys.stdout) out_hdlr.setFormatter(logging.Formatter('%(asctime)s ' + os.path.basename(__file__) + ': %(message)s')) out_hdlr.setLevel(logging.INFO) log.addHandler(out_hdlr) log.setLevel(logging.INFO) def sign(method, host, path, params, skey, ikey): """ Return HTTP Basic Authentication ("Authorization" and "Date") headers. method, host, path: strings from request params: dict of request parameters skey: secret key ikey: integration key """ # create canonical string #now = utils.formatdate() now = "Tue, 21 Aug 2012 17:29:18 -0000" log.debug(now) canon = [now, method.upper(), host.lower(), path] args = [] for key in sorted(params.keys()): val = params[key] if isinstance(val, unicode): val = val.encode("utf-8") args.append('%s=%s' % (urllib.quote(key, '~'), urllib.quote(val, '~'))) canon.append('&amp;'.join(args)) canon = '\n'.join(canon) log.info("Outputting canonical form of data to be signed") log.info(canon) # sign canonical string sig = hmac.new(skey, canon, hashlib.sha1) auth = '%s:%s' % (ikey, sig.hexdigest()) # return headers return {'Date': now, 'Authorization': 'Basic %s' % base64.b64encode(auth)} log.info("Starting Duo log retrieval") params={"realname": "First Last", "username": "root"} headers=sign(method="POST", host="api-xxxxxxxx.duosecurity.com", path="/admin/v1/users", params=params, skey="Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep", ikey="DIWJ8X6AEYOR5OMC6TQ1") log.info("Outputting headers") log.info(headers) #Gives output like: # # Starting Duo log retrieval # # Outputting canonical form of data to be signed # Tue, 21 Aug 2012 17:29:18 -0000 # POST # ■■■■ &lt;- the correct host goes here, this has been obfuscated by Duo's Community forum # /admin/v1/users # realname=First%20Last&amp;username=root # # Outputting headers # {'Date': 'Tue, 21 Aug 2012 17:29:18 -0000', 'Authorization': 'Basic RElXSjhYNkFFWU9SNU9NQzZUUTE6YzFlZjQzNzY3YzNlYjNiMzI1OGRiZGRjYTZmOGQwOTQxZTA4NWI5Mg=='} # THIS DOES NOT MATCH ONLINE EXAMPLE at https://duo.com/docs/adminapi#authentication # Apparently Authorization should be RElXSjhYNkFFWU9SNU9NQzZUUTE6MmQ5N2Q2MTY2MzE5NzgxYjVhM2EwN2FmMzlkMzY2ZjQ5MTIzNGVkYw== ######################################################</CODE></PRE></DIV> Tue, 22 Jan 2019 11:20:06 GMT https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881598#M371 Vince4 2019-01-22T11:20:06Z https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881599#M372 <DIV class="duo-migrated-content"><P>That signature example value is not right. We will get that fixed. Go ahead and actually test your code against Duo, ignoring the example value.</P></DIV> Tue, 22 Jan 2019 15:18:31 GMT https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881599#M372 DuoKristina 2019-01-22T15:18:31Z https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881600#M373 <DIV class="duo-migrated-content"><P>Thanks for the response Kristina.</P> <P>That’s unfortunate regarding the example being wrong - is my value correct then?</P></DIV> Tue, 22 Jan 2019 15:31:57 GMT https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881600#M373 Vince4 2019-01-22T15:31:57Z https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881601#M374 <DIV class="duo-migrated-content"><P>Because if its the sample code (“sign” function) that is incorrect then this would explain why this isn’t working for me in my production instance also…</P></DIV> Tue, 22 Jan 2019 15:56:45 GMT https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881601#M374 Vince4 2019-01-22T15:56:45Z https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881602#M375 <DIV class="duo-migrated-content"><P>So is the example on <A href="https://duo.com/docs/authapi#-api-details" class="inline-onebox" rel="nofollow noopener">Auth API | Duo Security</A> correct now?</P></DIV> Wed, 12 Jun 2019 20:40:25 GMT https://community.cisco.com/t5/apis/authorization-signature-for-api-requests/m-p/4881602#M375 alexhaberer 2019-06-12T20:40:25Z