Solved: Re: WebEX URL API AT=LI call response- BadUsernameOrPassword

Stephen.slaughter · ‎03-08-2017

I am doing a POC of a WebEX integration with my company's CRM tool, and have been tinkering with the URL API WBS 27 that I found:

http://solutionpartnerdashboard.cisco.com/documents/4733862/4736679/URL+API+WBS+27+Ref+Guide.pdf

What I want to do for the POC is launch a Support Session (AT=SS) to make our CSRs' workflow more convenient. If I can get this working, then perhaps we can develop more functionality like scheduling future support sessions, etc from within our CRM.

But I am having an issue that is stalling this POC:

When I am not logged into our site's WebEX web UI, and I try to call the AT=LI command as follows, I get a BadUsernameOrPassword error message:

https://yourwebexhostedname.webex.com/yourWebExHostedName/p.php?AT=LI&WID=WebExID&PW=Password

Seems pretty straightforward that a bad username or password is causing this issue. What confuses me is that I am substituting the same username and password credentials that I use to login to the WebEX web application UI (our partner site's Meeting Center, Support Center, etc) for the WID and PW parameters in the API call.

I'm guessing that the WID is a different credential than my the username that I typically use to login to the web app?

Also, interestingly, if I log into our partner site's web app, and then try to issue the AT=SS command to launch a support session, I get bad a MissingOrInvalidCSRFToken message. So I did some digging and discovered that the API WBS current release is at version 31, and that WebEX implemented CSRF Tokens.

https://developer.cisco.com/fileMedia/download/3c228b4b-3423-4058-96c0-5608068d52e0

So I don't know if these tokens are somehow related to my login failure, but I think, probably not. I'm guessing that a token is returned in the URL after a successful login...

I cannot find the URL API WBS 31 Reference Guide, btw. Can anyone point me to where this is located on the web?

Any pointers y'all can give me to resolve the BadUsernameOrPassword issue would be much appreciated.

-sws

ryanhunt · ‎03-08-2017

Credentials are no longer permitted to be included in the URL for security reasons anymore, this data must be transmitted via HTTP Form Post as opposed to HTTP GET.

For more information on these changes, please read this blog post: Recent URL API Changes - Get2Post

However its strongly encouraged for all new integrations to use the WebEx XML API as its far more feature complete and robust, the WebEx URL API is a legacy API and is used mostly for minimal integrations.

View solution in original post

ryanhunt · ‎03-08-2017

Credentials are no longer permitted to be included in the URL for security reasons anymore, this data must be transmitted via HTTP Form Post as opposed to HTTP GET.

For more information on these changes, please read this blog post: Recent URL API Changes - Get2Post

However its strongly encouraged for all new integrations to use the WebEx XML API as its far more feature complete and robust, the WebEx URL API is a legacy API and is used mostly for minimal integrations.

Stephen.slaughter · ‎03-14-2017

Thanks for the update, Ryan.

I was able to successfully login by first issuing the getLoginurlUser XML API method; this did return a 200-code success message and the login url complete with the ticket value substitute for the password.

My current problem is trying to append a subsequent URL API method AT=SS, so that I can immediately start a support session when called.

I tried using the following call (with my credentials, ticket, and token values obfuscated):

https://MyPartnerSite.webex.com/MyPartnerSite/p.php?AT=LI&FN=myfirstname&LN=mysurname&EM=firstname.surname@xx.com&WID=MyWID&TK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&MU=GoBack&BU=https://MyPartnerSite.webex.com/MyPartnerSite/p.php?AT=SS Site/p.php?AT=LI&FN=myfirstname&LN=mysurname&EM=firstname.surname@xx.com&WID=MyWID&TK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&MU=GoBack&BU=https://MyPartnerSite.webex.com/MyPartnerSite/m.php?AT=SS

Here's what I got back: https://MyPartnerSite.webex.com/MyPartnerSite/p.php?AT=SS&AT=LI&WID=MyWID&ST=SUCCESS&CSRF=xxxxxxx

But this just shows a blank page, the support session does not launch, as expected.

What am I missing in my AT=SS call? Reading through the WBS 27 Reference Guide, all of the other parameters appear to be optional, so not sure what is missing. Do I need to issue the login URL API command first, grab the CSRF token, and then make a separate call using the AT=SS API command?

I noticed that you strongly suggest that I use the XML API instead of the URL API. Is there any XML API method equivalent to the AT=SS URL API call?

Thanks,

Stephen

Stephen.slaughter · ‎03-14-2017

So I found this document which describes the following pseudocode:

// step 1 call the login page

call p.php?AT=LI to login webex site (including T29,T30,T31)

// step 2 parse the response

parse API response ("CSRF=" will be returned if exists) to get CSRF token value

// step 3 evaluate the response

if(value is not empty) {

CSRF = xxx;

}

else {

CSRF = "";

}

//For T31 it is not empty, others are empty

// step 4 implement logic for the case where CSRF is not empty

call other public URLAPIs listed in the table and always append CSRF param, just like this m.php?AT=LM&CSRF=

Using a REST client, I issued the getLoginurlUser XML API method and got the following URL response:

https://MyPartnerSite.webex.com/MyPartnerSite/p.php?AT=LI&FN=myfirstname&LN=mysurname&EM=firstname.surname@xx.com&WID=MyWID&TK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&MU=GoBack&BU=https://MyPartnerSite.webex.com/MyPartnerSite/p.php?AT=SS Site/p.php?AT=LI&FN=myfirstname&LN=mysurname&EM=firstname.surname@xx.com&WID=MyWID&TK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&MU=GoBack&BU

I entered this URL into the address bar of my browser, and got back the CSRF token.

Then I tried the following command as per step 4 above:

http://MyPartnerSite.webex.com/MyPartnerSite/m.php?AT=SS&CSRF=xxxxxxx

But I got back an RS=UnknownATCommand response.

Has the AT=SS command been deprecated in the URL AP? If so, how can I immediately launch a Support Session?

ryanhunt · ‎03-14-2017

The WebEx XML API allows you to start a Support Session with the CreateSupportSession command, this will return a SessionKey which you can use to to call a GetjoinurlMeeting to return a URL for the client..

Again, its not advisable to use the WebEx URL API for any new integrations; you can accomplish all this with the WebEx XML API and not need to handle CSRF or posting elements.

Stephen.slaughter · ‎03-14-2017

Ryan, thanks for the insight. What I wanted to do is launch the support session as the host, and I am able to do this using the CreateSupportSession and GethosturlMeeting method. This works perfect for me.

Do you happen to know how to capture the session

Thanks for your help, man!

Cheers,

Stephen

ryanhunt · ‎03-15-2017

I believe your Account Rep can toggle a setting on your site that will force recording of all sessions, the API's offer no means for enforcing session recordings.. just enabling/disabling the option, which would still require the host to manually activate.