Skip to main content

Invalid Credentials when using apiKey:apisecret@api... in URL.

Linda Lizarraga

Hi,

I'm trying to use the admin api to search.  On an older browser version it works ok, when I put in <apikey>:<apisecret>@api.cloudinary.com.  But on a new browser (and in thunkable) it fails with invalid credentials.

I found a reference to RFC3986 which might be causing this.   I've looked in the support forums but do not see how to work around this.  Any help would be appreciated.  

This has been deprecated by RFC 3986 1: Use of the format “user:password” in the userinfo field is deprecated. Some modern browsers thus no longer support URL encoding of basic access credentials. This prevents passwords from being sent and seen prominently in plain text.

 

3.2.1. User Information


   The userinfo subcomponent may consist of a user name and, optionally,
   scheme-specific information about how to gain authorization to access
   the resource.  The user information, if present, is followed by a
   commercial at-sign ("@") that delimits it from the host.

      userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

   Use of the format "user:password" in the userinfo field is
   deprecated.  Applications should not render as clear text any data
   after the first colon (":") character found within a userinfo
   subcomponent unless the data after the colon is the empty string
   (indicating no password).  Applications may choose to ignore or
   reject such data when it is received as part of a reference and
   should reject the storage of such data in unencrypted form.  The
   passing of authentication information in clear text has proven to be
   a security risk in almost every case where it has been used.

   Applications that render a URI for the sake of user feedback, such as
   in graphical hypertext browsing, should render userinfo in a way that
   is distinguished from the rest of a URI, when feasible.  Such
   rendering will assist the user in cases where the userinfo has been
   misleadingly crafted to look like a trusted domain name
0

Comments

1 comment

Date Votes
  • Stephen Doyle
    Edited

    Hi Linda,

    We generally recommend that you use a dedicated API request tool like Postman, or call the API endpoints from your own code, rather than hitting the endpoints manually in a web browser. That said, it should still be possible depending on your environment.

    The authentication method for the Admin API is HTTP Basic Authorization over HTTPS, and a common method of achieving that relies on browser support for the 'shortcut' of passing the credentials as part of the URL like `username:password@host..`

    If the tool you're using doesn't support that due to the deprecation in RFC 3986, please note that you should still be able to set the appropriate header directly, but I'm not sure of the instructions for Thunkable specifically.

    Assuming that you can set headers in the requests made in the tool you're using, you can specify the Authorization by taking the username and password (in this case, the API Key and API Secret), separating them with a colon, creating a base64 encoded version of that string, and including it in the Authorization HTTP header, after the type identifier, which is `Basic`.

    For example, for API Key `123456789` and API Secret `abcdef`:

    Start with `123456789:abcdef`
    Base 64 encoded, this is `MTIzNDU2Nzg5OmFiY2RlZg`
    So to authorize the request, the following header should be used:

        Authorization: Basic MTIzNDU2Nzg5OmFiY2RlZg

    May I ask you to please try that and let me know if it works for you as expected?

    Regards,
    Stephen 

    0

Post is closed for comments.

Didn't find what you were looking for?

New post