1

I have a protected service, but I need to create links for sharing purpose. So I came over this feature:

new ApiKeyAuthProvider(AppSettings) {
  AllowInHttpParams=true
},

I'm calling the service, getting the API directly from the ApiKey table, and in the debug console I can even see the SQL, which is correct (select where id, and id is my api key) and matches an active user, but still I'm getting a 403 from ServiceStack.

The apikey query param is used. Https is used (with valid CA signed cert).

specimen
  • 1,735
  • 14
  • 23

1 Answers1

1

403 Forbidden indicates Authentication was successful (otherwise would return 401 unauthorized) but the authenticated user does not have access to the resource, e.g. they don't have the required roles or permissions.

mythz
  • 141,670
  • 29
  • 246
  • 390
  • What I'm seeing in Postman (making sure to have cleared any cookies there) is: Passing the API Key as Bearer token: Invalid key gives login page, valid key gives 403. Passing the API key in Query Params I get 403 no matter if key is valid or just junk. When looking up they key in SQL I find my user, the only user, which works fine with credentials and JWT. The service has `[RequiredRole("Admin")]` which is the role my user has. Even if I remove the role I won't get access. If I login so the ss-cookies are set, then I can access the resource. The Id column from the table is the one to use? – specimen Jun 05 '20 at 11:05
  • @specimen You're talking about 3 different types of authentication here, API Key, JWT and Credentials Server Session Auth. If authenticating with an API Key (and only an API Key) returns a 403, it's an indication it doesn't have the required role. You can intercept the role check by overriding the `HasRole()` in your Custom User Session, this is the [default implementation to check if the user has a role](https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/AuthUserSession.cs#L106). – mythz Jun 05 '20 at 11:16
  • 2
    First I'd like to say it's such a privilege to have the main developer answer questions within minutes on SO even with time-zone difference. And it's been like that for years. *I found the solution:* I'm behind a reverse proxy, where SSL is terminated, so I had to add `RequireSecureConnection=false` to the ApiKeyAuthProvider settings. That made it work. – specimen Jun 05 '20 at 11:55