Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Crowd XSRF Check failed with proxy script

Christopher_Armstrong
Christopher_Armstrong November 3, 2018

I'm trying to use Crowd to authenticate users using a local MAC application. In my first question, I wanted to know how I can authenticate the user, and this is resolved. I was told, that I should write a proxy web application, so that the application user and application password is not exposed in the MAC application.

See:

https://community.atlassian.com/t5/Crowd-questions/Atlassian-Crowd-Authentication-with-FAT-client/qaq-p/926346?utm_source=atlcomm&utm_medium=email&utm_campaign=solution_to_question&utm_content=topic

I have created a PHP script, which acts as proxy, however now I get an XSRF Check Failed 403 Forbidden message when sending a post to the API, even though the IP has been configured as valid.

I was reading through the documentation and found this:

How to call protected REST APIs from third party websites
It is not possible to call protected APIs from third party websites as this would pose a security risk.

So how can I write a proxy application, when Atlassian doesn't allow third party websites?

Thanks,

Chris

Answer
Watch
Like Be the first to like this
2414 views

2 answers

1 accepted

2 votes
Answer accepted
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2018

Hi @Christopher_Armstrong

How to call protected REST APIs from third party websites
It is not possible to call protected APIs from third party websites as this would pose a security risk.

The documentation you are referring to applies to Atlassian Cloud APIs. It does not apply to Crowd's REST API.

The problem you are facing here is due to the Httpful client library which sends a regular browser user-agent header along with the HTTP request. Thus, Crowd thinks the HTTP request comes from a regular browser and responds with a XSRF Check failed error.

You just need to change the value of the User-Agent header here (for instance PHP or even a blank value will work):

->addHeader('User-Agent','PHP')

Screen Shot 2018-11-04 at 20.45.39.png

Screen Shot 2018-11-04 at 20.46.43.png

View More Comments
Christopher_Armstrong
Christopher_Armstrong November 6, 2018

Thanks a lot Bruno Vincent. That solved it. Your fast feedback is much appreciated guys.

Like
Reply
1 vote
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 3, 2018

Hi! 

 

 

I use in my code parameter  'X-Atlassian-Token': 'no-check' like this

https://github.com/atlassian-api/atlassian-python-api/blob/master/atlassian/rest_client.py#L14

 

Hope it helps

 

Cheers,

Gonchik Tsymzhitov

View More Comments
Christopher_Armstrong
Christopher_Armstrong November 3, 2018

Thanks a lot for this. I tried, but it didn't work. Still same message. Below my php code executed through Chrome.

 

<?php
include('./httpful.phar');

$uri = "http://thecrowd.url:8095/crowd/rest/usermanagement/1/session";
$body = "{\"username\": \"myuser\", \"password\":\"mypassword\", \"validation-factors\": { \"validationFactors\": [{\"name\": \"remote_address\", \"value\":\"127.0.0.1\"}]}}";

$response = \Httpful\Request::post($uri)
->authenticateWith('myappuser', 'myapppass')
->addHeader('Content-Type', 'application/json')
->addHeader('Accept', 'application/json')
->addHeader('X-Atlassian-Token', 'no-check')
->body($body)
->send();

/*
// Get Groups
$uri = "http://milk.tendswiss.ch:8095/crowd/rest/usermanagement/1/user/group/direct?username=christopher.armstrong@tend.swiss";

$response = \Httpful\Request::get($uri)
->authenticateWith('christest', '123456')
->addHeader('Content-Type', 'application/json')
->addHeader('Accept', 'application/json')
->send();
*/
/*
$response = \Httpful\Request::post($uri)
->authenticateWith('christest', '123456')
->addHeader('Content-Type', 'application/json')
->addHeader('Accept', 'application/json')
->send();
*/
echo "Done<br>";

var_dump($response);
?>

Like
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 4, 2018

Hi! 

Is it possible to set header variable in all request?

 

 

Cheers,

Gonchik Tsymzhitov

Like
Christopher_Armstrong
Christopher_Armstrong November 4, 2018

What do you mean by "in all request"?

Currently I try to get this working, and this contains the X-Atlassian-Token header.

$uri = "http://thecrowd.url:8095/crowd/rest/usermanagement/1/session";
$body = "{\"username\": \"myuser\", \"password\":\"mypassword\", \"validation-factors\": { \"validationFactors\": [{\"name\": \"remote_address\", \"value\":\"127.0.0.1\"}]}}";

$response = \Httpful\Request::post($uri)
->authenticateWith('myappuser', 'myapppass')
->addHeader('Content-Type', 'application/json')
->addHeader('Accept', 'application/json')
->addHeader('X-Atlassian-Token', 'no-check')
->body($body)
->send();

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events