Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maekee
New Contributor II

FortiGate API

Authenticate with user/pass vs access_token.

 

I have succeeded to authenticate with a user/pass against the Rest API where i put the username/secretkey as the payload in the body with a POST method.

 

Have also succeeded to authenticate with the access_token with a GET method by appending the access_token in the URL (with ?access_token=<token>).


I would like to authenticate with the access_token, but put it in the payload as a POST-method. Because when authenticating with the access_token in the url it will not be encrypted over the https tls channel.

 

So, my question is.. how do i authenticate like the above username/secretkey but with the generated access_token (Rest API key) instead?

I have tried to replace the password with the access_token, but do not work.

 

Thanks in advanced

 

/Maekee
1 Solution
Debbie_FTNT

Hey Maekee,

 

the API token can only be included in the URL as a parameter, or as a request header like this:

Authorization: Bearer <YOUR-API-TOKEN>

There is no way to include it in the payload; the FortiGate will not accept an API connection if it doesn't include the API token in either URL or header or a full admin login is performed via /logincheck or /api/v2/authentication beforehand.

The /logincheck and /api/v2/authentication options are not intended for Rest API admins, but regular admins (which can also access API, but do not have a token and need to go via actual login).
I hope this helps answer your question.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6 REPLIES 6
Jackstorm
New Contributor II

When you tried to login by username and password, a csrf token returned, you need post with this csrf token in http header. 

Use username/password login has already fulfilled your request. 


Lucas
Maekee
New Contributor II

Hello,

My question is still:

Can i authenticate with the API token inside the header (as a payload) instead of in the URL? (As i do with the user/pass)

 

/Maekee
Debbie_FTNT

Hey Maekee,

 

the API token can only be included in the URL as a parameter, or as a request header like this:

Authorization: Bearer <YOUR-API-TOKEN>

There is no way to include it in the payload; the FortiGate will not accept an API connection if it doesn't include the API token in either URL or header or a full admin login is performed via /logincheck or /api/v2/authentication beforehand.

The /logincheck and /api/v2/authentication options are not intended for Rest API admins, but regular admins (which can also access API, but do not have a token and need to go via actual login).
I hope this helps answer your question.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Maekee
New Contributor II

Thanks Debbie,

What would you say is the best use of API tokens vs User/pass when using the API's?

 

My educated guess is API token is for monitoring (not sensitive config/modifications) and user/pass is for automating sensitive modifications which needs to be secure?

 

/Maekee
Debbie_FTNT

Hey Maekee,

as best I can tell (the reasoning for both methods isn't documented anywhere I can find it), your guess is correct.

Please take anything I say here with a grain of salt, I'm not part of Fortinet's API team, I've just experimented with the API a bit and have access to some additional documentation (where that header option comes from).

For API admins with token, by default you can't set a super_admin profile, and it is strongly recommended to create and restrict an admin profile for API admins to only the necessary privileges, probably due to exactly what we've discussed here, the token is not exactly secret.

I don't know if you have access to the Fortinet Developer Network (fndn.fortinet.net) - there is extensive API documentation available, and forums discussing API use cases. If you don't have access, you can reach out to your Fortinet Sales representative regarding getting sponsored for access.

 

Hope that helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Maekee
New Contributor II

Thanks for the reply, you just acknowledged what i already thought. :) Of course i would never give super_admin access to an API-user, that is not following either least privilege or any type for security thinking :) I have got access to FNDN so i will dive into that when the time is right. Any documentation you can supply or examples i would greatly appreciate it. Thanks

/Maekee