cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1485
Views
14
Helpful
3
Replies
Highlighted
Beginner

Cisco PSIRT openVuln API oauth2 Token "Not Authorized"

Greetings,

I am currently attempting to gain access to the PSIRT openVuln API and am following along with the "Getting Started" directions. So far, I have registered an application for "Cisco PSIRT openVuln API" using my CCO ID with the Grant Type: "Client Credentials".  My application has a Status of "active" and I have a corresponding Client ID and Client Secret.


I am currently having issues with getting a valid access_token (step 3) and would like to know if I am using the correct methodology.


Via Postman:

My GET request is: https://api.cisco.com/security/advisories/cvrf/all (as specified in the API)

Under the "Authorization" tab, I have set my Type to "OAuth 2.0" and clicked "Get New Access Token"

When I send the request I get back:

     <h1>Not Authorized</h1>

I have also gone through the Curl walk-through posted by Omar, however this also did not work even when running it in Postman as recommended by Bradley here.

my command: curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id=<client_id>" -d "client_secret=<client_secret>" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2

(I get no response from this)

Am I using the wrong URLs or even going about this in an entirely wrong manner?

Thank you for your time.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: Cisco PSIRT openVuln API oauth2 Token "Not Authorized"

UPDATE: SOLVED

With the help of Cisco's Jason Smith, I was able to issue a valid request via both Postman and Curl. The missing piece was to take the access_token (as produced via Omar's method) as well as the token_type and set them as an 'Authorization' header field as well as providing an 'Accept' header.

More explicitly:

Postman:

1. Get access_token following the steps Omar laid out.

2. Do not click 'Use Token' instead go to the 'Headers' Tab in Postman and set the following:

     Key: Authorization          Value: Bearer <access_token>

     Key: Accept                    Value: application/json

3. Hit 'Send' and watch the magic happen

Curl:

The issue I was having with getting the token had to do with my proxy settings. Ensure you are first doing:

$ export  https_proxy=<https_host>:<port>

Then you can issue your access token request:

$ curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id=<client_id>" -d "client_secret=<client_secret>" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2

Then when you get the response, you should have an access token and a token type so using these do:

$ curl -X GET -s -k -H "Accept: application/json" -H "Authorization: <token_type> <access_token>" https://api.cisco.com/security/advisories/cvrf/all

Thank you again to Jason Smith for this solution!

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Cisco PSIRT openVuln API oauth2 Token "Not Authorized"

Hi Lukas,

The following are my settings in Postman:

Screen Shot 2017-08-01 at 3.04.18 PM.png

Then you should see the new token, as shown below:

Screen Shot 2017-08-01 at 3.06.32 PM.png

I have the sample curl and others at:

https://github.com/CiscoPSIRT/openVulnAPI/tree/master/example_code

It does seem that you have the correct URL. If this doest not work, try to register "another application" and try the new client credentials. Please let me know if you don't get it to work and glad to help you more.

Cheers,

Omar

Highlighted
Beginner

Re: Cisco PSIRT openVuln API oauth2 Token "Not Authorized"

Hi Omar,

Thank you for your prompt and informative response! Unfortunately, my issue persists. I went ahead and registered "another application" and documented the procedure I followed below:

Registering Application:

Registering.jpg


Validating Existence:

Applications.jpg

Postman Access Token Settings:

AccessToken.jpg

Postman Execution/Response:

Response.jpg

I additionally looked at your Git and followed the Curl example and received no response:

Curl.jpg

I would greatly appreciate any more help you are able to offer! Please let me know if you need any additional information.


Thank you for your time.


Best,

Lukas

Highlighted
Beginner

Re: Cisco PSIRT openVuln API oauth2 Token "Not Authorized"

UPDATE: SOLVED

With the help of Cisco's Jason Smith, I was able to issue a valid request via both Postman and Curl. The missing piece was to take the access_token (as produced via Omar's method) as well as the token_type and set them as an 'Authorization' header field as well as providing an 'Accept' header.

More explicitly:

Postman:

1. Get access_token following the steps Omar laid out.

2. Do not click 'Use Token' instead go to the 'Headers' Tab in Postman and set the following:

     Key: Authorization          Value: Bearer <access_token>

     Key: Accept                    Value: application/json

3. Hit 'Send' and watch the magic happen

Curl:

The issue I was having with getting the token had to do with my proxy settings. Ensure you are first doing:

$ export  https_proxy=<https_host>:<port>

Then you can issue your access token request:

$ curl -s -k -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "client_id=<client_id>" -d "client_secret=<client_secret>" -d "grant_type=client_credentials" https://cloudsso.cisco.com/as/token.oauth2

Then when you get the response, you should have an access token and a token type so using these do:

$ curl -X GET -s -k -H "Accept: application/json" -H "Authorization: <token_type> <access_token>" https://api.cisco.com/security/advisories/cvrf/all

Thank you again to Jason Smith for this solution!

View solution in original post

CreatePlease to create content