topic Re: PSIRT OpenVuln API authentication issue in Services Discussions

PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 17:21:07 GMT

I am trying to use the openvulnquery python script and I am getting a 401. I also have been trying to use curl as shown in the documentation (https://community.cisco.com/t5/services-documents/accessing-the-cisco-psirt-openvuln-api-using-curl/ta-p/3652897) to test the credentials and this is not working either. I have registered two apps in the API console with client credentials. The python script is passing the credentials.

Is this service working for others? I am pretty sure I have this all setup correctly. Just not sure what is wrong. Any pointers?

Re: PSIRT OpenVuln API authentication issue

Seb Rupik — Tue, 16 Jul 2019 14:01:11 GMT

Hi there,

A quick test shows it is currently working in postman.

Can you share your python code which deals with creating the OpenVulnQueryClient object which manages the API connection.

You may also want to read this:

https://configif.wordpress.com/2019/07/12/interacting-with-cisco-apis/

cheers,

Seb.

Re: PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 15:33:31 GMT

Here is the curl I am using: (venv)chris.young@prdch3nix01 /home/networkteam/intermapper> curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id=fx7ynshh8j4ud3f9zxpXXXXX" -d "client_secret=Y3ZA7BxmWsYsqsZNrcUXXXXX" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2
{"error_description":"Invalid client or client credentials","error":"invalid_client"} <- I obfuscated the client_id and secret. this is what I get

For python code - I am using the provided openvulnquery code from github and I have created a credentials.json file with the credentials and passed them as an argument. I also tried editing the config.py - neither worked.

(venv)chris.young@prdch3nix01 /home/networkteam/intermapper> openVulnQuery --config credentials.json --all
Traceback (most recent call last):
File "/home/networkteam/intermapper/venv/bin/openVulnQuery", line 11, in <module>
sys.exit(main())
File "/home/networkteam/intermapper/venv/lib/python3.4/site-packages/openVulnQuery/_library/main.py", line 58, in main
client = query_client.OpenVulnQueryClient(**client_cfg)
File "/home/networkteam/intermapper/venv/lib/python3.4/site-packages/openVulnQuery/_library/query_client.py", line 73, in __init__
client_id, client_secret, request_token_url=self.auth_url)
File "/home/networkteam/intermapper/venv/lib/python3.4/site-packages/openVulnQuery/_library/authorization.py", line 22, in get_oauth_token
r.raise_for_status()
File "/home/networkteam/intermapper/venv/lib/python3.4/site-packages/requests/models.py", line 909, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://cloudsso.cisco.com/as/token.oauth2?client_secret=Y3ZA7BxmWsYsqsZNrcUXXXXX&client_id=fx7ynshh8j4ud3f9zxpXXXXX

Re: PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 15:35:14 GMT

cat credentials.json
{
"CLIENT_ID": "fx7ynshh8j4ud3f9zxpXXXXX",
"CLIENT_SECRET": "Y3ZA7BxmWsYsqsZNrcUXXXXX"
}

Re: PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 15:43:58 GMT

Two different registered apps, two sets of credentials. Same result.

Re: PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 16:04:34 GMT

Seb,

I tested with your python script too!

Re: PSIRT OpenVuln API authentication issue

chris.young — Tue, 16 Jul 2019 16:37:51 GMT

API Console app settings

Re: PSIRT OpenVuln API authentication issue

Seb Rupik — Tue, 16 Jul 2019 20:22:00 GMT

Hi Chris,

I've got to hand it to you, your testing certainly is thorough!

I have just tried to create a new application at apiconsole.cisco.com for the PSIRT API, but the API is no longer available to me....thankfully I still have my old application registered so have retained access.

I can only suggest that you raise a support ticket with cisco as this appears to be some backend issue.

@Omar Santos can you shed any light on the status of the PSIRT API?

cheers,

Seb.

Re: PSIRT OpenVuln API authentication issue

Omar Santos — Thu, 18 Jul 2019 15:39:05 GMT

Hi @chris.young ,

I think that I have reproduced this problem and reported it to the API development team. They are looking into this now. I am expecting a resolution/answer today. I will provide an update here (once I get one) and I will contact you directly now to troubleshoot further.

Thanks!

Omar

Re: PSIRT OpenVuln API authentication issue

chris.young — Thu, 18 Jul 2019 18:58:43 GMT

@Omar Santos - thanks for your assistance!

Re: PSIRT OpenVuln API authentication issue

Omar Santos — Fri, 19 Jul 2019 02:32:37 GMT

I worked with the development team for both the PSIRT OpenVuln API and the Services API. We thought that we were able to reproduce your problem, but we are successful after many new registration of applications/client creds. Can you please try one more time to get new client credentials and or send me a direct message so that I can give you a couple to test?

Re: PSIRT OpenVuln API authentication issue

chris.young — Fri, 19 Jul 2019 17:14:48 GMT

@Omar Santos

Either something was fixed or third times the charm on registering apps.

The first two registrations did not work. The new one I created today worked!

Thanks @Omar Santos and @Seb Rupik for your assistance.