Developer

 View Only
last person joined: 4 days ago 

Expand all | Collapse all

API X-CSRF-Token

This thread has been viewed 27 times
  • 1.  API X-CSRF-Token

    Posted Mar 18, 2024 07:44 AM

    AOS 8.10.0.10 Conductor and clusters

    Hello,

    I'm not a programmer but use the API to do a few tasks. I noticed that here https://www.arubanetworks.com/techdocs/ArubaOS_87_Web_Help/Content/nbapiguide/prerequisites.htm it says:

    "Starting from ArubaOS 8.7.0.0, UIDARUBA is deprecated. The X-CSRF-Token will be used in the header. The UIDARUBA is still available for backward compatibility with older ArubaOS firmware versions."

    I have always used UIDARUBA up til now, but thought I should start updating my scripts to use X-CSRF-Token. I was hoping I could just parse X-CSRF-Token from the login request (instead of UIDARUBA) and then add that to the header of my next request instead of the UIDARUBA token, but I keep getting 401 unauthorised.

    I seem to be getting the token itself fine, but then my next request fails:

                url = f"https://{mc}:4343/v1/configuration/object/reload"
                body = {
                    "force": True
                }
                querystring = {"config_path": "/md"}   # UIDARUBA deprecated (removed from querystring) , switched to X-CSRF-Token 18/03/2024
                headers = {
                    "Content-Type": "application/json",
                    "Accept" : "application/json",
                    "Cookie" : f"SESSION={uid}",
                    "X-CSRF-Token" : f"{uid}"
                    }
                response = requests.request("POST", url, json=body, headers=headers, verify=False, params=querystring)
    

     What am I doing wrong here? I'm also not really sure what "Cookie" does but I've always included it, I must have got it from some documentation at some point. It was previously set to the UIDARUBA, but now 'uid' is the X-CSRF-Token.



  • 2.  RE: API X-CSRF-Token

    MVP GURU
    Posted Mar 18, 2024 09:37 AM

    Hi cauliflower

    I always use uidaruba....

    do you have check the log ? or output of error request ? 



    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 3.  RE: API X-CSRF-Token

    Posted Mar 18, 2024 02:10 PM

    In the logs I see:

    Mar 18 10:30:01 2024  httpd[32483]: SID validation failed for API opcode:/v1/configuration/object/reload, sid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Mar 18 10:30:01 2024  httpd[32483]: SID Validation failed POST URI:/v1/configuration/object/reload

    I'm not sure what SID is 




  • 4.  RE: API X-CSRF-Token

    EMPLOYEE
    Posted Mar 19, 2024 06:51 AM

    This is what works for me... on the login, I get the following json-response (redacted):

    {'_global_result': {'status': '0', 'status_str': "You've logged in successfully.", 'UIDARUBA': 'ZTc1Njredacted1', 'X-CSRF-Token': 'NzhiM2redacted2'}}

    Then in the follow-up calls, I put this in the header:

    {'X-CSRF-Token': 'NzhiM2redacted2'}

    The Cookies:

    {'SESSION': 'ZTc1Njredacted1'}

    And in addition, I use the cookie function to collect/store/cache and send cookies that were received earlier.

    I think SID is session ID, which seems to sit in the cookies. But most important from your example is that the SESSION cookie and X-CSRF-Token are different values, which also make sense for a CSRF mechanism.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: API X-CSRF-Token

    Posted Mar 20, 2024 11:43 AM

    Thanks Herman,

    So previously I would just obtain a UIDARUBA using login and it looks like this is what was also set as the SESSION cookie value in the headers.  So how do I obtain a different value to use as the SESSION cookie?

    What are the implications of continuing to use UIDARUBA in the way I am? Is it considered insecure now? 

    And will the UIDARUBA method disappear at some point?

    Apologies for the many questions, as I say, I'm not a programmer so some of this is new to me

    Guy




  • 6.  RE: API X-CSRF-Token

    EMPLOYEE
    Posted 27 days ago

    I see I made a mistake in the example I used before... So the 'X-CSRF-Token' goes as a header, the UIDARUBA goes as the SESSION Cookie; but it is also received as a 'Set-Cookie' on the request, so if you use a cookie-jar or so, you should just use the X-CSRF-Token.

    As far as I know, it you don't use the X-CSRF-Token, it will just not work, so it's required for accessing the API modern versions of ArubaOS. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: API X-CSRF-Token

    MVP GURU
    Posted Mar 21, 2024 07:27 AM

    There is a typo on Aruba 8.12 API guide, it is say 

    X-CSRFToken


    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------