Ambiguous Authentication in the Netsuite Token Based API
I am trying to make SOAP calls to the Netsuite API using token based authentication. I have a C # client that is generated from WDSL and it sends the following request (with secrets replaced).
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:messages_2016_2.platform.webservices.netsuite.com" xmlns:urn1="urn:core_2016_2.platform.webservices.netsuite.com">
<soapenv:Header>
<urn:partnerInfo>
<urn:partnerId>[MyAccountId]</urn:partnerId>
</urn:partnerInfo>
<urn:applicationInfo>
<urn:applicationId>[MyApplicationId]</urn:applicationId>
</urn:applicationInfo>
<urn:tokenPassport>
<urn1:account>[MyAccountId]</urn1:account>
<urn1:consumerKey>[MyConsumerKey]</urn1:consumerKey>
<urn1:token>[MyTokenId]</urn1:token>
<urn1:nonce>1574515852</urn1:nonce>
<urn1:timestamp>1499135589</urn1:timestamp>
<urn1:signature algorithm="HMAC-SHA1">Ll8DbLvTWsBh/G7UtenErR03OrM=</urn1:signature>
</urn:tokenPassport>
</soapenv:Header>
<soapenv:Body>
<urn:getDataCenterUrls>
<urn:account>[MyAccountId]</urn:account>
</urn:getDataCenterUrls>
</soapenv:Body>
</soapenv:Envelope>
I am getting the following response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server.userException</faultcode>
<faultstring>Ambiguous authentication</faultstring>
<detail>
<platformFaults:invalidCredentialsFault xmlns:platformFaults="urn:faults_2016_2.platform.webservices.netsuite.com">
<platformFaults:code>USER_ERROR</platformFaults:code>
<platformFaults:message>Ambiguous authentication</platformFaults:message>
</platformFaults:invalidCredentialsFault>
<ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">partners-java20004.sea.netledger.com</ns1:hostname>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
I tried many different ways to generate signature, nonce and timestamp. I currently have the following:
private string computeNonce()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] data = new byte[20];
rng.GetBytes(data);
int value = Math.Abs(BitConverter.ToInt32(data, 0));
return value.ToString();
}
private long computeTimestamp()
{
return ((long)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
}
private TokenPassportSignature computeSignature(string accountId, string consumerKey, string consumerSecret, string tokenId, string tokenSecret, string nonce, long timestamp)
{
string baseString = accountId + "&" + consumerKey + "&" + tokenId + "&" + nonce + "&" + timestamp;
string key = consumerSecret + "&" + tokenSecret;
string signature = "";
var encoding = new System.Text.ASCIIEncoding();
byte[] keyBytes = encoding.GetBytes(key);
byte[] baseStringBytes = encoding.GetBytes(baseString);
using (var hmacSha1 = new HMACSHA1(keyBytes))
{
byte[] hashBaseString = hmacSha1.ComputeHash(baseStringBytes);
signature = Convert.ToBase64String(hashBaseString);
}
TokenPassportSignature sign = new TokenPassportSignature();
sign.algorithm = "HMAC-SHA1";
sign.Value = signature;
return sign;
}
Does anyone have any ideas? Thank!
+3
source to share
5 answers
I don't know how this is done in C # with HMAC-SHA1, but in Javascript with CryptoJS HMAC-SHA256 you sign the string first and then Base64-encode it:
var baseString = ACCOUNT_ID + "&" + NETSUITE_CONSUMER_KEY + "&" + NETSUITE_TOKEN_ID + "&" + NONCE + "&" + TIMESTAMP;
var key = NETSUITE_CONSUMER_SECRET + '&' + NETSUITE_TOKEN_SECRET;
var HMAC256_Sig = cryptoJS.HmacSHA256(baseString, key);
var HMAC256_Sig_Base64 = cryptoJS.enc.Base64.stringify(HMAC256_Sig);
Then you output it like this:
'<platformCore:signature algorithm = "HMAC_SHA256">' + HMAC256_Sig_Base64 + '</platformCore:signature>'
0
source to share
I know this is an old question, but I was struggling with the same problem and found a working solution.
private static void CreateTokenPassport()
{
// Initialize the netsuite web service proxy.
_netSuiteService = new NetSuiteService();
// A valid Token passport signature consists of the following:
// Create a base string.
// The base string is variable created from concatenating a series of values specific to the request.Use an ampersand as a delimiter between values.
// The values should be arranged in the following sequence:
// NetSuite account ID
// Consumer key
// Token
// Nonce(a unique, randomly generated alphanumeric string, with a minimum of six characters and maximum of 64)
// Timestamp
// See: https://system.na1.netsuite.com/app/help/helpcenter.nl?fid=section_4395630653.html#bridgehead_4398049137
string consumerSecret = "";
string tokenSecret = "";
string accountId = "";
string consumerKey = "";
string tokenId = "";
string nonce = ComputeNonce();
long timestamp = ComputeTimestamp();
string baseString = string.Format("{0}&{1}&{2}&{3}&{4}", accountId, consumerKey, tokenId, nonce, timestamp);
string secretKey = string.Format("{0}&{1}", consumerSecret, tokenSecret);
// Initialize the keyed hash object using the secret key as the key
HMACSHA256 hashObject = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey));
// Computes the signature by hashing the data with the secret key as the key
byte[] signature = hashObject.ComputeHash(Encoding.UTF8.GetBytes(baseString));
// Base 64 Encode
string encodedSignature = Convert.ToBase64String(signature);
TokenPassport tokenPassport = new TokenPassport
{
signature = new TokenPassportSignature
{
Value = encodedSignature,
algorithm = "HMAC_SHA256"
},
account = accountId,
consumerKey = consumerKey,
token = tokenId,
nonce = nonce,
timestamp = timestamp
};
_netSuiteService = new NetSuiteService
{
tokenPassport = tokenPassport
};
}
Useful methods:
private static string ComputeNonce()
{
return Guid.NewGuid().ToString("N");
}
private static long ComputeTimestamp()
{
return ((long)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
}
0
source to share