基于Netsuite Token的API调用中的模糊身份验证

时间:2017-07-04 02:44:52

标签: c# .net netsuite suitetalk

我正在尝试使用基于令牌的身份验证对Netsuite API进行SOAP调用。我有一个从WDSL生成的C#客户端,它正在发送以下请求(更换了秘密)。

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:messages_2016_2.platform.webservices.netsuite.com" xmlns:urn1="urn:core_2016_2.platform.webservices.netsuite.com">
   <soapenv:Header>
      <urn:partnerInfo>
         <urn:partnerId>[MyAccountId]</urn:partnerId>
      </urn:partnerInfo>
      <urn:applicationInfo>
         <urn:applicationId>[MyApplicationId]</urn:applicationId>
      </urn:applicationInfo>
      <urn:tokenPassport>
         <urn1:account>[MyAccountId]</urn1:account>
         <urn1:consumerKey>[MyConsumerKey]</urn1:consumerKey>
         <urn1:token>[MyTokenId]</urn1:token>
         <urn1:nonce>1574515852</urn1:nonce>
         <urn1:timestamp>1499135589</urn1:timestamp>
         <urn1:signature algorithm="HMAC-SHA1">Ll8DbLvTWsBh/G7UtenErR03OrM=</urn1:signature>
      </urn:tokenPassport>
   </soapenv:Header>
   <soapenv:Body>
      <urn:getDataCenterUrls>
         <urn:account>[MyAccountId]</urn:account>
      </urn:getDataCenterUrls>
   </soapenv:Body>
</soapenv:Envelope>

我收到以下回复

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server.userException</faultcode>
         <faultstring>Ambiguous authentication</faultstring>
         <detail>
            <platformFaults:invalidCredentialsFault xmlns:platformFaults="urn:faults_2016_2.platform.webservices.netsuite.com">
               <platformFaults:code>USER_ERROR</platformFaults:code>
               <platformFaults:message>Ambiguous authentication</platformFaults:message>
            </platformFaults:invalidCredentialsFault>
            <ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">partners-java20004.sea.netledger.com</ns1:hostname>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

我尝试了许多不同的方法来生成签名,nonce和时间戳。目前我有以下内容:

private string computeNonce()
{
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
    byte[] data = new byte[20];
    rng.GetBytes(data);
    int value = Math.Abs(BitConverter.ToInt32(data, 0));
    return value.ToString();
}

private long computeTimestamp()
{
    return ((long)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
}

private TokenPassportSignature computeSignature(string accountId, string consumerKey, string consumerSecret, string tokenId, string tokenSecret, string nonce, long timestamp)
{
    string baseString = accountId + "&" + consumerKey + "&" + tokenId + "&" + nonce + "&" + timestamp;
    string key = consumerSecret + "&" + tokenSecret;
    string signature = "";
    var encoding = new System.Text.ASCIIEncoding();
    byte[] keyBytes = encoding.GetBytes(key);
    byte[] baseStringBytes = encoding.GetBytes(baseString);
    using (var hmacSha1 = new HMACSHA1(keyBytes))
    {
        byte[] hashBaseString = hmacSha1.ComputeHash(baseStringBytes);
        signature = Convert.ToBase64String(hashBaseString);
    }
    TokenPassportSignature sign = new TokenPassportSignature();
    sign.algorithm = "HMAC-SHA1";
    sign.Value = signature;
    return sign;
}

有没有人有任何想法?谢谢!

7 个答案:

答案 0 :(得分:6)

getDataCenter调用不需要护照。我对mapSso函数遇到了同样的问题。看起来2017.1版本让他们更加严格不接受护照

答案 1 :(得分:3)

我知道这是一个老问题,但我在同样的问题上挣扎,并找到了一个有效的解决方案。 

private static void CreateTokenPassport()
{
    // Initialize the netsuite web service proxy.
    _netSuiteService = new NetSuiteService();

    // A valid Token passport signature consists of the following:
    // Create a base string.
    //     The base string is variable created from concatenating a series of values specific to the request.Use an ampersand as a delimiter between values.
    //     The values should be arranged in the following sequence:
    // NetSuite account ID
    // Consumer key
    // Token
    // Nonce(a unique, randomly generated alphanumeric string, with a minimum of six characters and maximum of 64)
    // Timestamp
    // See: https://system.na1.netsuite.com/app/help/helpcenter.nl?fid=section_4395630653.html#bridgehead_4398049137

    string consumerSecret = "";
    string tokenSecret = "";
    string accountId = "";
    string consumerKey = "";
    string tokenId = "";
    string nonce = ComputeNonce();
    long timestamp = ComputeTimestamp();

    string baseString = string.Format("{0}&{1}&{2}&{3}&{4}", accountId, consumerKey, tokenId, nonce, timestamp);
    string secretKey = string.Format("{0}&{1}", consumerSecret, tokenSecret);

    // Initialize the keyed hash object using the secret key as the key
    HMACSHA256 hashObject = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey));

    // Computes the signature by hashing the data with the secret key as the key
    byte[] signature = hashObject.ComputeHash(Encoding.UTF8.GetBytes(baseString));

    // Base 64 Encode
    string encodedSignature = Convert.ToBase64String(signature);

    TokenPassport tokenPassport = new TokenPassport
    {
        signature = new TokenPassportSignature
        {
            Value = encodedSignature,
            algorithm = "HMAC_SHA256"
        },
        account = accountId,
        consumerKey = consumerKey,
        token = tokenId,
        nonce = nonce,
        timestamp = timestamp
    };

    _netSuiteService = new NetSuiteService
    {
        tokenPassport = tokenPassport
    };
}

效用方法: 

private static string ComputeNonce()
{
    return Guid.NewGuid().ToString("N");
}

private static long ComputeTimestamp()
{
    return ((long)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
}

答案 2 :(得分:3)

切换到TBA后,我也遇到了这个无用的错误。原来,我仍在发送ApplicationInfo属性以及新的Consumer KeyConsumer Secret

我在NetSuite的“ SuiteAnswers”站点上发现了此问题,并想在这里为仍然有此问题的其他人引用。

  

模糊身份验证错误

     

在Web服务中使用基于令牌的身份验证(TBA)时,如果将其他身份验证机制与TBA标头一起使用,则会返回模棱两可的身份验证错误响应。

     

如果除了TBA标头之外,您的请求还包含应用程序ID,带有电子邮件地址和密码的护照对象或有效的JSESSIONID,则会收到此错误。

     

在以下情况下会发生错误:

     
      

  • 如果单个Web服务请求包含Passport,TokenPassport和SsoPassport复杂类型的组合。

    •   

  • 如果单个Web服务请求同时包含tokenPassport和ApplicationInfo复合类型,因此在SOAP标头中包含应用程序ID。

    •   

来源:Token-Based Authentication Errors in Web Services

答案 3 :(得分:1)

我不知道在使用HMAC-SHA1的C#中是如何完成的,但在使用CryptoJS HMAC-SHA256的Javascript中,您首先对字符串进行签名,然后在Base64中对其进行编码:

var baseString = ACCOUNT_ID + "&" + NETSUITE_CONSUMER_KEY + "&" + NETSUITE_TOKEN_ID + "&" + NONCE + "&" + TIMESTAMP;
var key = NETSUITE_CONSUMER_SECRET + '&' + NETSUITE_TOKEN_SECRET;
var HMAC256_Sig = cryptoJS.HmacSHA256(baseString, key);
var HMAC256_Sig_Base64 = cryptoJS.enc.Base64.stringify(HMAC256_Sig);

然后输出它:

'<platformCore:signature algorithm = "HMAC_SHA256">' + HMAC256_Sig_Base64 + '</platformCore:signature>'

答案 4 :(得分:1)

取下护照。遗憾的是,如果您在使用令牌验证时在代码中有此功能,NetSuite将失败。 :/

答案 5 :(得分:1)

我不得不修改XML并删除tokenpassport(帐户,comsumer密钥,令牌,nonce,timestamp)标签并且它有效。

答案 6 :(得分:0)

根据 Netsuite SuiteTalk SOAP API 文档:

不明确的身份验证错误 在 SOAP Web 服务中使用基于令牌的身份验证 (TBA) 时,不明确的身份验证 如果您将其他身份验证机制与 TBA 标头一起使用,则会返回错误响应。 如果除了 TBA 标头之外,您的请求还包含应用程序 ID、护照 具有电子邮件地址和密码或有效 JSESSIONID 的对象。 在以下情况下会发生错误:

■ 如果单个 SOAP Web 服务请求包含 Passport、TokenPassport 和 SsoPassport 复杂类型。

■ 如果单个 SOAP Web 服务请求同时包含 tokenPassport 和 ApplicationInfo 复杂类型,因此在 SOAP 标头中包含应用程序 ID。

相关问题
最新问题