nutshell crm json-rpc authentication problem

[ricb...@gmail.com]

Can anybody help me figure out why this json-rpc query to the Nutshell CRM API fails with "401" in Jayrock, even though it succeeds with a simple curl call like this:

curl -u j...@demo.nutshell.com:43c789d483fd76547b1f157e3cf5e580b95b9d8c -d '{ "id": "1", "method": "getLead", "params": { "leadId": "1000" } }' https://app01.nutshell.com/api/v1/json

(The credentials and url here are from the Nutshell sample/demo, so they actually work with a sample data set.)

Simple c# console app, including Jayrock source, attached.

https://www.nutshell.com/api/

https://www.nutshell.com/api/detail/class_core.html#a9167bf0a1ed5b86205091597b726adf5

Thanks much.

[Atif Aziz]

Turns out that the problem is not Jayrock, but two things. One, the .NET HTTP client does not send the authorization header on the first request even with PreAuthenticate set to true. If you're interested in the details, the following blog post does a fabulous job of explaining what happens:

.NET WebRequest.PreAuthenticate – not quite what it sounds like

The second problem is that the Nutshell CRM API does not send back an WWW-Authenticate header on 401 (which is odd). If it did, the .NET HTTP client would re-submit the request with credentials. In the absence of WWW-Authenticate headers, the client does not know which authentication scheme the server understands and expects.

I have posted a gist that makes JsonRpcClient work against Nutshell CRM by manually forcing the authorization header with the first request. I do this subclassing by JsonRpcClient and overriding GetRequest to get a crack at the request object before passing it on to the base class where the JSON encoding is done. 

Hope this helps.

- Atif

--
You received this message because you are subscribed to the Google Groups "Jayrock" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jayrock+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[ricb...@gmail.com]

Atif,

Thanks for your work on this. I will report the non-standard behavior to Nutshell. (If they do not fix the problem on their end, I will use your workaround.)

Here is the explanation I plan to send them. Can you review it? Feel free to enhance it as you see fit. I'm not sure I am explaining it completely.

==========
Dear Nutshell,

After working to make JSON-RPC calls against the Nutshell CRM API from .NET (via the Jayrock library), I have learned that the Nutshell web server does not behave as it should when it receives a query without authentication.

The issue is as follows. When the Nutshell web server receives a JSON-RPC query without authentication, it should send back a WWW-Authenticate header on 401. In order to send an authenticated version of the request, the .NET HTTP client must receive this reply from the web server.

Since other customers are likely to attempt to call the Nutshell API from .NET applications in the future, I suggest that you implement this standard authentication convention, and modify your API to send back a WWW-Authenticate header on 401 when a query without authentication is received.

Thanks.
==========

Does that describe the situation correctly?

Thanks!
Ric

[ricb...@gmail.com]

btw, I tried your gist and it works great. I will use that until such time as Nutshell fixes their API.

Thanks again,
Ric

[Atif Aziz]

I think the issue is much more general and affects any HTTP client (not just .NET) because not sending the WWW-Authenticate header with a 401 response is a direct violation of the standard described in RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). Per section 1.2, “Access Authentication Framework”:

The 401 (Unauthorized) response message is used by an origin server
to challenge the authorization of a user agent. This response MUST
include a WWW-Authenticate header field containing at least one
challenge applicable to the requested resource.

If you omit the -u (user) parameter from your curl command line and add -v (verbose) then you'll see that the response headers do not include any WWW-Authenticate header. The .NET Framework implementation is correct and the fact that it does not eagerly send an authorization header is a strength rather than a weakness.

BTW…

I have learned that the Jayrock web server does not behave as it should when it receives a query without authentication.

I do not believe that Nutshell CRM is implemented using the Jayrock web server. :)

- Atif 

On Tue, May 28, 2013 at 10:17 PM, <ricb...@gmail.com> wrote:

Atif,

Thanks for your work on this. I will report the non-standard behavior to Nutshell. (If they do not fix the problem on their end, I will use your workaround.)

Here is the explanation I plan to send them. Can you review it? Feel free to enhance it as you see fit. I'm not sure I am explaining it completely.

==========
Dear Nutshell,

After working to make JSON-RPC calls against the Nutshell CRM API from .NET (via the Jayrock library), I have learned that the Jayrock web server does not behave as it should when it receives a query without authentication.

The issue is as follows. When the Nutshell web server receives a JSON-RPC query without authentication, it should send back a WWW-Authenticate header on 401. In order to send an authenticated version of the request, the .NET HTTP client must receive this reply from the web server.

Since other customers are likely to attempt to call the Nutshell API from .NET applications in the future, I suggest that you implement this standard authentication convention, and modify your API to send back a WWW-Authenticate header on 401 when a query without authentication is received.

Thanks.
==========

Does that describe the situation correctly?

Thanks!
Ric

[ricb...@gmail.com]

> I do not believe that Nutshell CRM is implemented using the Jayrock web server. :)

Yep. Actually, I caught this just after I posted, so I deleted and reposted with that correct.

Thanks, will relay the issue to Nutshell, without the emphasis on .NET.

Ric