topic Re: HTTP XMLAPI Authentication Problem in Webex for Developers

HTTP XMLAPI Authentication Problem

Lenard.Valdez — Fri, 08 Apr 2022 00:32:14 GMT

Hello I'm not really a Cisco Developer, rather I am tasked to integrate Cisco's Webx to ServiceNow. So far CUCM and RISPort70 has been a breeze to connect and get the information we need, but Endpoints using session based login is causing some confusion.

According to Collaboration Endpoint Software 9.15 to set the session is to get the SessionId but http://<ip-address>/
xmlapi/session/begin responds with SecureClientId in the headers.

I tried both just getting the SecureClientId value and just plugging it on SessionID and straight up using SecureClientID for the Cookie header but I still end up with a 401

Re: HTTP XMLAPI Authentication Problem

Raffaele Lagana — Fri, 08 Apr 2022 09:03:22 GMT

Hello, the sessionId should be part of the Set-Cookie Response Header, do you see it there?

Would look something like: "Set-Cookie: SessionId=f08102c8ce5aaf8fba23a7238
cc2ef464b990e18bfbb7fb048820c0e28955c54; Path=/;
HttpOnly"

Re: HTTP XMLAPI Authentication Problem

Lenard.Valdez — Sat, 09 Apr 2022 13:21:11 GMT

Hello, That's what I expect to see from the response right? But the value of Set-Cookie starts with SessionClientId not SessionId

here's my request (obscured some data for security)

POST /xmlapi/session/begin HTTP/1.1
Host: 10.102.XXX.XX
Authorization: Basic <base64>

here's a response header from 2days ago.(obscured some data for security)

{"Referrer-Policy":["same-origin"],"X-Frame-Options":["SAMEORIGIN"],"Server":["nginx"],"Cache-Control":["no-cache, no-store"],"X-Content-Type-Options":["nosniff"],"Content-Security-Policy":["base-uri 'self'; form-action 'self'; frame-ancestors 'self'; block-all-mixed-content","default-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self' data:"],"Connection":["keep-alive"],"Set-Cookie":["SecureClientId=95cc7c01962fa97207b41614251d57d5140000e686088d0dd1ea21c9f62cXXXX; Path=/web; HttpOnly; secure"],"X-XSS-Protection":["1; mode=block"],"Date":["Thu, 07 Apr 2022 11:05:40 GMT"]}

Re: HTTP XMLAPI Authentication Problem

Raffaele Lagana — Tue, 12 Apr 2022 16:38:59 GMT

Ok thanks, just to be sure was the token that's used here one which was authenticated by an admin?

Re: HTTP XMLAPI Authentication Problem

Lenard.Valdez — Wed, 13 Apr 2022 00:55:33 GMT

I'm not really sure, they only gave the username/password credentials. weird thing is when we use postman its returning SecureSessionId and it works using this when using it for other api calls.

I only copy pasted the code generated by postman for a quick test but we're still getting SessionClientId

Re: HTTP XMLAPI Authentication Problem

Mike Palkovich — Wed, 13 Apr 2022 17:26:48 GMT

Could you share the code you are using to make this post request outside of postman? We have been trying to duplicate this but have not been able to so far.

One strange thing about the response you are receiving is that its showing the path was set to /web (Path=/web) instead of "/xmlapi/session/begin". I only see this /web path when i try to make a request to the host device without any url path, in that case it does a redirect to /web first.

Also could you confirm if you are being redirected (HTTP 302)to the HTTPS url when testing in postman?