PROTOCOL: http-client HEADER Authorization: Bearer token length truncated

[Jorge Pichardo]

Cloverleaf 20.1.1.1 – I am having an issue conforming the HEADER of the request with the Bearer token. Seems that the string is truncated after 1024 chars in a keyed list after calling the GET { set res [httpget $queryList2] } in the TIME mode. The keyed list is properly set as far I can see. Of course, the response after executing the http GET verb is HTTP/1.1 403 Forbidden due to the truncation. The other params are read correctly as per http-client configuration fields.

Attached TCL snippet modified based on the “gc_httpClientQuery” provided by Infor samples.

Any guidance is really appreciated!

start {
# grab and store CFGS values for run/time mode —
# CFGS are only available in start mode.
keylget args CFGS cfgs
keylget cfgs URL url
keylget cfgs HEADERS headers

set udata {}
keylset udata Content-Type { application/json }
keylset udata Authorization { Bearer eyJraWQiOiJRMm9UdXZJRzlDRG5GeU5wbG9ndkowMUVA … }
set data “”
keylset queryList2 URL $url DATA $data HEADERS $udata DEBUG $debug
}

time {
# fetch the URL using the specified method
# the URL used will be taken from NetConfig
#echo QUERY $queryList
echo QUERY $queryList2

set term 0 ; set ctr 0

while { !$term && ($ctr <= 3) } {

keylget cfgs METHOD method
switch -exact — $method {
PUT { set res [httpput $cfgs] }
POST { set res [httppost $queryList] }
GET { set res [httpget $queryList2] }
}

echo RESPONSE: $res

GET { set res [httpget $queryList2] }

.
.
.
}

Topic

[Charlie Bursell]

Is it truncated when you execute “echo QUERY $queryList2”?
Make sure Bearer string does not contain spaces or unprintable characters.

[Jorge Pichardo]

The token doesn’t get truncated in the keyed list echo.

“giuqF7JywkbiA” from the response (echo RESPONSE: $res) is missing these chars for some reason. No white space seems present in the token string. $res holds output from GET { set res [httpget $queryList2] }

See engine log:

[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:53] QUERY {URL https://ids-test-api.bchealthdev.ca/ids-ha-viha-test/} {DATA {}} {HEADERS {{Content-Type { application/json }} {Authorization { Bearer eyJraWQiOiJRMm9UdXZJRzlDRG5GeU5wbG9ndkowMUVPUllIXC9IZG1vaHNKMkx1RElIVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3aGdnZm01M2l2dTdiOHJvMTdvdG0zZWY4OCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2lkcy10ZXN0LWFwaS5iY2hlYWx0aGRldi5jYVwvaWRzLWhhLXZpaGEtdGVzdFwvXC9kZWxldGUgaHR0cHM6XC9cL2lkcy10ZXN0LWFwaS5iY2hlYWx0aGRldi5jYVwvaWRzLWhhLXZpaGEtdGVzdFwvXC9yZWFkIiwiYXV0aF90aW1lIjoxNjQxMzI0MTI1LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuY2EtY2VudHJhbC0xLmFtYXpvbmF3cy5jb21cL2NhLWNlbnRyYWwtMV9YeHNCb3FjckgiLCJleHAiOjE2NDEzMjc3MjUsImlhdCI6MTY0MTMyNDEyNSwidmVyc2lvbiI6MiwianRpIjoiZjNmYmI4OWQtYjc0NS00NzZkLTkwMmYtZDExMzcxNGZhMGMyIiwiY2xpZW50X2lkIjoiN2hnZ2ZtNTNpdnU3YjhybzE3b3RtM2VmODgifQ.kM_e9J0yFq1ntFzrhZK7-85_cjxz53lBnFUzQ4Sl1RauKnSoeZh8uSLILyZ5PD9Mrv7eE5IkiTbDzK7qHRal44rPyvUUEUqdbmZp2TVO1XyoaLR26c7p-cx63a2SmWP1Rz5ZuTUcRSWXe8fq6DEC3YN2Zh-5XnK_gAGFFM50OPFQjEujL5hbFnJ8Of0FsxJAqyoIKmfoDtp0aGEvHD_aNsr0FFocU2jDsy_Bt76bt4DkBUA57Aa_RffzcDqA5IJreTJ95XK579OmH8_IMlyWPrN-q39yk5aC8vqscwv5x5MSIkHryGKfKG3-CBBrGUCffs8_dCNiDgiuqF7JywkbiA }}}} {DEBUG 1}
* Trying 3.98.47.57:443…
* Connected to ids-test-api.bchealthdev.ca (3.98.47.57) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.bchealthdev.ca
* start date: Sep 23 00:00:00 2021 GMT
* expire date: Oct 22 23:59:59 2022 GMT
* subjectAltName: host “ids-test-api.bchealthdev.ca” matched cert’s “*.bchealthdev.ca”
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET /ids-ha-viha-test/ HTTP/1.1
Host: ids-test-api.bchealthdev.ca
User-Agent: Quovadx CISAgent
Accept: */*
Authorization: Bearer eyJraWQiOiJRMm9UdXZJRzlDRG5GeU5wbG9ndkowMUVPUllIXC9IZG1vaHNKMkx1RElIVT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3aGdnZm01M2l2dTdiOHJvMTdvdG0zZWY4OCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2lkcy10ZXN0LWFwaS5iY2hlYWx0aGRldi5jYVwvaWRzLWhhLXZpaGEtdGVzdFwvXC9kZWxldGUgaHR0cHM6XC9cL2lkcy10ZXN0LWFwaS5iY2hlYWx0aGRldi5jYVwvaWRzLWhhLXZpaGEtdGVzdFwvXC9yZWFkIiwiYXV0aF90aW1lIjoxNjQxMzI0MTI1LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuY2EtY2VudHJhbC0xLmFtYXpvbmF3cy5jb21cL2NhLWNlbnRyYWwtMV9YeHNCb3FjckgiLCJleHAiOjE2NDEzMjc3MjUsImlhdCI6MTY0MTMyNDEyNSwidmVyc2lvbiI6MiwianRpIjoiZjNmYmI4OWQtYjc0NS00NzZkLTkwMmYtZDExMzcxNGZhMGMyIiwiY2xpZW50X2lkIjoiN2hnZ2ZtNTNpdnU3YjhybzE3b3RtM2VmODgifQ.kM_e9J0yFq1ntFzrhZK7-85_cjxz53lBnFUzQ4Sl1RauKnSoeZh8uSLILyZ5PD9Mrv7eE5IkiTbDzK7qHRal44rPyvUUEUqdbmZp2TVO1XyoaLR26c7p-cx63a2SmWP1Rz5ZuTUcRSWXe8fq6DEC3YN2Zh-5XnK_gAGFFM50OPFQjEujL5hbFnJ8Of0FsxJAqyoIKmfoDtp0aGEvHD_aNsr0FFocU2jDsy_Bt76bt4DkBUA57Aa_RffzcDqA5IJreTJ95XK579OmH8_IMlyWPrN-q39yk5aC8vqscwv5x5MSIkHryGKfKG3-CBBrGUCffs8_dCNiD
From: anonymous@unknown.com
Connection: close

* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Tue, 04 Jan 2022 19:49:54 GMT
< Content-Type: application/json
< Content-Length: 27
< Connection: close
< x-amzn-RequestId: 64afbf95-c283-4ec5-84e7-561478096a61
< x-amzn-ErrorType: AccessDeniedException
< x-amz-apigw-id: Lb6zXHEoYosF4IQ=
< X-Amzn-Trace-Id: Root=1-61d4a4e2-201674cb5f9a661c03bd87bf
<
* Closing connection 0
[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:54] RESPONSE: {STATUS {HTTP/1.1 403 Forbidden
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] }} {HEADERS {Date: Tue, 04 Jan 2022 19:49:54 GMT
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] Content-Type: application/json
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] Content-Length: 27
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] Connection: close
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] x-amzn-RequestId: 64afbf95-c283-4ec5-84e7-561478096a61
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] x-amzn-ErrorType: AccessDeniedException
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] x-amz-apigw-id: Lb6zXHEoYosF4IQ=
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] X-Amzn-Trace-Id: Root=1-61d4a4e2-201674cb5f9a661c03bd87bf
[tcl :out :INFO/0: Get_Bundle:–/–/—- –:–:–] }} {BODY {{“Message”:”Access Denied”}}}
[cmd :cmd :INFO/0: Bundle_cmd:01/04/2022 11:49:58] Receiving a command
[cmd :cmd :INFO/0: Bundle_cmd:01/04/2022 11:49:58] Received command: ‘Get_Bundle pstop’
[cmd :cmd :INFO/0: Bundle_cmd:01/04/2022 11:49:58] Doing ‘pstop’ command on thread ‘Get_Bundle’
[prod:prod:INFO/0: Get_Bundle:01/04/2022 11:49:58] Checking for leaked handles in the General interpreter…
[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:58] <No active handles>
[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:58]
[prod:prod:INFO/0: Get_Bundle:01/04/2022 11:49:58] Checking for leaked handles in the TPS interpreter…
[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:58] <No active handles>
[tcl :out :INFO/0: Get_Bundle:01/04/2022 11:49:58]
[cmd :cmd :INFO/0: Bundle_cmd:01/04/2022 11:49:58] Receiving a command
[cmd :cmd :INFO/0: Bundle_cmd:01/04/2022 11:49:58] Command client went away. Closing connection.
Engine idle — 01/04/2022 11:50:08

[Charlie Bursell]

Possible that tour authentication token is wrong.
A JWT is a string with this format:
aaaaaaaaaaa.bbbbbbbbbb.cccccccccc

It’s just three sections in string separated by dots. Each section is a text encoded using base64-url:
(base64url-encoded header).(base64url-encoded claims).(base64url-encoded signature)

I would suspect that the encoded signature is not correct.

Just a guess. I am by no means an expert or even a good novice when it comes to JSON.

[Jorge Pichardo]

Thanks for the response Charlie. At some point, I thought the token was corrupted or malformed. I decoded it at jwt.io and everything appears in order. I am successful testing the endpoints for the token retrieval and the GET request using the refresh token with Postman. I am still puzzled on what’s going on.

[Charlie Bursell]

Have you asked the server side to tell you what they don’t like about it? Try it with Curl from the command line. Also you might want to open a Support case.

[Author]

Replies