HTTP with Authorization returning Forbidden response error

[Markos]

Hi All,

I am sending an http request to an http site using GET via the the Download method where the header has to include The Authorization Bearer {token}. The code looks fine but tbe response comes back with Frbidden with httpjob as success=false.

Just fyi the token I receive is formatted as base64url safe in 3 sections separated with a period(.) As Header, Payliad & Signature respectively.

I want to be 100% sure that my calls are not missing any unique setting for calling an http site with Authorization Bearer header. If Im good then it must be the server or token mismatch.

 

[Markos]

Below is the code block where the token was received prior and as the job fails it fires off the line at 'ToastMessageShow(j.ErrorMessage,False)'

url1=urlroot & "/cust/informaton/"
    
    Dim j As HttpJob
    j.Initialize("",Me)
    
    j.Download(url1)
    j.GetRequest.SetHeader("Accept", "application/json")
    j.GetRequest.SetHeader("Content-Type", "application/json")
    j.GetRequest.SetHeader("Authorization", "Bearer " & token)
    wait for (j) jobdone(j As HttpJob)
    
    Dim tmpstr As String
    
    If j.Success Then
        
        tmpstr=j.GetString
        ToastMessageShow(tmpstr,True)
    Else
        ToastMessageShow(j.ErrorMessage,False)
    End If
    j.Release

 

[aeric]

You must have using the wrong token. You didn't show how you generate it.

 

[Markos]

Im hoping its the wrong token. Im the front end developer the token generation handled by the backend developer. I asked them to verify from their logic and logs etc.
I am exploring what I can to ensure Im correct in the code statements and workflow then I can feel confident to say its not an android policy etc but a server related issue

 

[drgottjr]

forbidden (403) is the wrong response for failed authentication/authorization. 401 would mean authorization failed.

 

[Markos]

Good point.
Other curiousity if I send without Bearer prefix response is unauthorized.

I will verify the http status code for each scenerio

 

[aeric]

base64url safe in 3 sections separated with a period(.) As Header, Payliad & Signature respectively.

j.GetRequest.SetHeader("Accept", "application/json")

If you are sending a Payload (json), you should be using POST instead of GET.

Another thing is make sure the URL is correct.

 

[Markos]

Agreed on the use of POST however the owner of the API requires GET dunno why. I just left json headers in as default as no payload is actually sent for that endpoint, that shouldnt cause the resilt Im getting I dont think. I will remove those json headers just to confirm.

 

[Markos]

Issue resolved it was the server side token mis match the server developer amended his code