Skip to main content
Maekee
Maekee
Explorer
December 17, 2021
Solved

FortiGate API

  • December 17, 2021
  • 2 replies
  • 11760 views

Authenticate with user/pass vs access_token.

 

I have succeeded to authenticate with a user/pass against the Rest API where i put the username/secretkey as the payload in the body with a POST method.

 

Have also succeeded to authenticate with the access_token with a GET method by appending the access_token in the URL (with ?access_token=<token>).


I would like to authenticate with the access_token, but put it in the payload as a POST-method. Because when authenticating with the access_token in the url it will not be encrypted over the https tls channel.

 

So, my question is.. how do i authenticate like the above username/secretkey but with the generated access_token (Rest API key) instead?

I have tried to replace the password with the access_token, but do not work.

 

Thanks in advanced

 

    Best answer by Debbie_FTNT

    Hey Maekee,

     

    the API token can only be included in the URL as a parameter, or as a request header like this: 

    Authorization: Bearer <YOUR-API-TOKEN>

    There is no way to include it in the payload; the FortiGate will not accept an API connection if it doesn't include the API token in either URL or header or a full admin login is performed via /logincheck or /api/v2/authentication beforehand.

    The /logincheck and /api/v2/authentication options are not intended for Rest API admins, but regular admins (which can also access API, but do not have a token and need to go via actual login).
    I hope this helps answer your question.

    2 replies

    Jackstorm
    Jackstorm
    Visitor III
    December 18, 2021

    When you tried to login by username and password, a csrf token returned, you need post with this csrf token in http header. 

    Use username/password login has already fulfilled your request. 

    Maekee
    MaekeeAuthor
    Explorer
    January 10, 2022

    Hello,

    My question is still:

    Can i authenticate with the API token inside the header (as a payload) instead of in the URL? (As i do with the user/pass)

     

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNTAnswer
    Staff & Editor
    January 10, 2022

    Hey Maekee,

     

    the API token can only be included in the URL as a parameter, or as a request header like this: 

    Authorization: Bearer <YOUR-API-TOKEN>

    There is no way to include it in the payload; the FortiGate will not accept an API connection if it doesn't include the API token in either URL or header or a full admin login is performed via /logincheck or /api/v2/authentication beforehand.

    The /logincheck and /api/v2/authentication options are not intended for Rest API admins, but regular admins (which can also access API, but do not have a token and need to go via actual login).
    I hope this helps answer your question.

      Maekee
      MaekeeAuthor
      Explorer
      January 11, 2022

      Thanks Debbie,

      What would you say is the best use of API tokens vs User/pass when using the API's?

       

      My educated guess is API token is for monitoring (not sensitive config/modifications) and user/pass is for automating sensitive modifications which needs to be secure?

       

      Debbie_FTNT
      Staff & Editor
      Debbie_FTNT
      Staff & Editor
      January 11, 2022

      Hey Maekee,

      as best I can tell (the reasoning for both methods isn't documented anywhere I can find it), your guess is correct.

      Please take anything I say here with a grain of salt, I'm not part of Fortinet's API team, I've just experimented with the API a bit and have access to some additional documentation (where that header option comes from).

      For API admins with token, by default you can't set a super_admin profile, and it is strongly recommended to create and restrict an admin profile for API admins to only the necessary privileges, probably due to exactly what we've discussed here, the token is not exactly secret.

      I don't know if you have access to the Fortinet Developer Network (fndn.fortinet.net) - there is extensive API documentation available, and forums discussing API use cases. If you don't have access, you can reach out to your Fortinet Sales representative regarding getting sponsored for access.

       

      Hope that helps :)

        Maekee
        MaekeeAuthor
        Explorer
        January 11, 2022

        Thanks for the reply, you just acknowledged what i already thought. :) Of course i would never give super_admin access to an API-user, that is not following either least privilege or any type for security thinking :) I have got access to FNDN so i will dive into that when the time is right. Any documentation you can supply or examples i would greatly appreciate it. Thanks

        Terms & ConditionsCookie settingsAccessibility statement