Highlighted
SuzanneZurich Respected Contributor.
Respected Contributor.
376 views

(OO) Support Tip: CSRF token request and OO API for authentication

Customer tried to implement the API method of doing roll-back of last deployed content-pack and received 'Expected CSRF token not found' message from OO.  Customer also received an HTPP 403 forbidenAttached file with comunication.  How to resolve?

This behavior is as expected because it is a new security feature known internally.  The behavior (where you only had to use one GET to obtain the token) was modified to address a potential CSRF exploit and the fix chosen was to have a double submission of requests to get a valid CRSF token.  This is a security fix that everyone has to comply to.

Please see the Launch flow with HTTP Cookies and CSRF token in 
/HPE Solutions [1.10.0]/Library/Integrations/Hewlett-Packard/Operations Orchestration/10.x/Samples/ and how the inputs are passed along.

Workaround:

Two GET requests to obtain the correct CRSF token.

The API guide documentation will be updated to include the steps to get the correct CRSF token.

Please see the knowledge document at https://softwaresupport.hpe.com/km/KM02858937

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.