ApiKey Unauthorized

[gustavoaraujocardozo]

Hello!

I'm trying to use asynchronous execution on workflows. To achieve this, I started the process using Postman, and it works well.

Here is my endpoint:
https://localhost:7268/elsa/api/workflow-definitions/8c2b4e621c9873bf/dispatch

It is configured to use:

Content-Type: application/json
Authorization: ApiKey 00000000-0000-0000-0000-000000000000
Here is the response I received:

{
"workflowInstanceId": "19fa4bfd55a5fc72"
}

In my application, I use RestSharp for making requests, but I keep getting an "Unauthorized" response from the Elsa API. I followed the steps mentioned in issue #5450 , but without success. I obtained the API key and used it in my requests; however, I still receive an "Unauthorized" response. I believe issue #5927 might be related to the same problem.

Below is the response I received from the endpoint: https://localhost:7268/elsa/api/identity/applications
I used the name: Postman and roles: ["admin"]

{
"id": "f06c6751a22338e6",
"name": "Postman",
"roles": [
"admin"
],
"clientId": "fQZK4x611fv7FjoZ",
"clientSecret": "Ag$B/g(LoRj&J5/e|uomigUx:b\.6%",
"apiKey": "66515A4B3478363131667637466A6F5A-feb7f842-297e-4758-8cdc-5f711fa54c0b",
"hashedApiKey": "XwPNtw3tuPi3WJrm8kI09Ym9PQAOw17mrrTEGreFBZo=",
"hashedApiKeySalt": "XIo1YVcA0VsMHPfcrlhvPZfuW+TKCz0XN6lgxUIY1K0=",
"hashedClientSecret": "9En4/3uMTiAfMhT1BS54TB8lOyoahGrlyZgrUrDE9G4=",
"hashedClientSecretSalt": "eEtRxYDOerleh3L38EBA3tzGbUEvXyR/fipD+yw3BHc="
}

Here is my method to execute the asynchronous workflow:

public async Task StartWorkflowAsync(string definitionId, int cdOcorrencia)
{
var input = new Input(cdOcorrencia);

_rest = new RestBase(_configuration);
var request = _rest.GetRestRequest("https://localhost:7268/elsa/api/workflow-definitions/8c2b4e621c9873bf/dispatch", 
    Method.Post
);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", $"ApiKey 66515A4B3478363131667637466A6F5A-feb7f842-297e-4758-8cdc-5f711fa54c0b");
request.AddJsonBody<Input>(input);

var response = await _rest.GetResponseAsync(request);

return new ResponseDTO
{
    IsSuccessStatusCode = response.IsSuccessStatusCode,
    StatusCode = response.StatusCode,
    Data = response.Content,
    BadRequestMessage = response.ErrorMessage
};

}

@sfmskywalker

[sfmskywalker]

Hi @gustavoaraujocardozo , so it works when using the API key 00000000-0000-0000-0000-000000000000, but not when using the generated API key? Can you double-check your Program.cs code to ensure that the Identity feature is configured to use the StoreBasedApplicationProvider and that the DefaultApiKeyProvider is used (which is the case when installing the DefaultAuthenticationFeature) instead of the default AdminApiKeyProvider?

[gustavoaraujocardozo]

Hello!

It only works on Postman; it doesn't work when I make requests using RestSharp. When using RestSharp, neither 00000000-0000-0000-0000-000000000000 nor the generated key works.

Below is my Program.cs class. Is this where I’m supposed to configure the features?

`builder.Services.AddElsa(elsa =>
{
var dbContextOptions = new ElsaDbContextOptions();

string postgresConnectionString = builder.Configuration.GetConnectionString("PostgreSQLDefaultConnection")!;
string schema = builder.Configuration.GetConnectionString("Schema")!;

if (!string.IsNullOrEmpty(schema))
{
	dbContextOptions.SchemaName = schema;
	dbContextOptions.MigrationsAssemblyName = typeof(Program).Assembly.GetName().Name;
}

elsa.UseWorkflowManagement(management => management.UseEntityFrameworkCore(ef => ef.UsePostgreSql(postgresConnectionString, dbContextOptions)));
elsa.UseWorkflowRuntime(runtime => runtime.UseEntityFrameworkCore(ef => ef.UsePostgreSql(postgresConnectionString, dbContextOptions)));

// Default Identity features for authentication/authorization.
elsa.UseIdentity(identity =>
{
	identity.TokenOptions = options => options.SigningKey = "ebd7fc1a3e1b49fe833e5aaffbb83647"; // This key needs to be at least 256 bits long.
	identity.ApiKeyOptions = options => { options.KeyName = "ApiKey"; options.SuppressWWWAuthenticateHeader = true; options.IgnoreAuthenticationIfAllowAnonymous = true; };
	identity.UseAdminUserProvider();
});

// Configure ASP.NET authentication/authorization.
elsa.UseDefaultAuthentication(auth => auth.UseAdminApiKey());

// Expose Elsa API endpoints.
elsa.UseWorkflowsApi();

// Setup a SignalR hub for real-time updates from the server.
elsa.UseRealTimeWorkflows();

// Enable C# workflow expressions
//elsa.UseCSharp();
elsa.UseJavaScript();

// Enable HTTP activities.
elsa.UseHttp();

// Use timer activities.
elsa.UseScheduling();

// Register custom activities from the application, if any.
elsa.AddActivitiesFrom<Program>();

// Register custom workflows from the application, if any.
elsa.AddWorkflowsFrom<Program>();

});`

@sfmskywalker

[sfmskywalker]

Nothing odd jumps out at me by looking at your code. Perhaps you can share a small project reproducing the issue?

[gustavoaraujocardozo]

Here is my code. It’s actually the project I’m working on, but without a lot of the extra stuff.

The Elsa server is configured to use PostgreSQL, so I hope you have a PostgreSQL database set up. I’ve removed the connection string. I will email you the invitation to my personal drive, where you can download the files (to large to attach). There are two project, elsa server and a worker service.

In the project WorkflowService, in the file OcorrenciasService.cs, make sure to use a valid Definition ID.

Let me know if you need something else. Tks!

@sfmskywalker

[sfmskywalker]

Hi @gustavoaraujocardozo , thanks for sharing the code. So in fact, when using the 00000000-0000-0000-0000-000000000000 admin API key, the client call worked successfully.

But, in order to allow your other API key to work, you need to make a small change in your workflow server setup:

Replace the following line:

elsa.UseDefaultAuthentication(auth => auth.UseAdminApiKey());

With the following:

elsa.UseDefaultAuthentication();

Then it works, because the UseAdminApiKey installs an API key authorizer that requires the API key to be that of the admin. We only use this to bootstrap a new Application entity to get a new API key. Once we have that, we should remove the UseAdminApiKey call.

[gustavoaraujocardozo]

It works perfectly! Problem solved! Thank you so much!

@sfmskywalker

[sfmskywalker]

Glad I could help!

[gustavoaraujocardozo]

@sfmskywalker Unfortunately, I have experienced strange behavior.

Since I made the changes you suggested, I’m no longer able to update my definitions in Elsa Studio. I make the changes and click the buttons to save and publish, but my definitions don’t change at all.

So, I reverted to the original code I had before, and the definitions started saving and publishing again. To be clear, the authorization problem no longer occurs, even with the original code before the change. I’m still using the empty GUID for authorization as well.

So, what could be causing the save and publish problem?