Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-22952

API authentication using Authorization bearer header does not work


    • Icon: Documentation task Documentation task
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • 6.4.3
    • API (A), Frontend (F)
    • Suse Linux Enterprise 15 SP4 - kernel 5.14.21-150400.24.63-default
      Zabbix 6.4.3 (Migrated from 6.2.9) - Installed from official Zabbix repos
      Postgresql 15.1 + TimescaleDB 2.9.3
    • Documentation backlog
    • 0.2

      According to https://www.zabbix.com/documentation/6.4/en/manual/api we should now use the `Authorization: Bearer xxx`-header to authenticate an API call. The `auth`-parameter is still supported but deprecated.

      However, when using the Authorization Bearer, I'm unable to authenticate with the API, while when using the `auth`-parameter method, the API authentication is successful.

      This is also seen when using the [pyZabbix python library|https://github.com/lukecyca/pyzabbix.] When that library detects a Zabbix API version > 6.4, it will use the Authorization Bearer-method.. but also fails to authenticate with it, at least on Zabbix 6.4.3.


      Steps to reproduce:

      1. Ensure you have a user with API access
      2. Generate an API token for that user (optional - alternatively obtain a token using the user.login API call)
      3. Call the API method host.get with a `Authorization: Bearer xxx`-header:
      curl --request POST --url 'http://zabbix643server/api_jsonrpc.php' --header 'Authorization: Bearer 5488f5b22f4ec4d028596deecc90d41a7bd26076f818f2d3f5be9596ce1a5da9' --header 'Content-Type: application/json' --data '{"jsonrpc": "2.0","method": "host.get","params": {"output": ["hostid","host"]},"id": 2}' 


      Authorization failure:

      {"jsonrpc":"2.0","error":{"code":-32602,"message":"Invalid params.","data":"Not authorized."},"id":2}


      a list of hosts, as requested by the `host.get` call

      {"jsonrpc":"2.0","result":[{"hostid":"14195","host":"icos"},{"hostid":"14207","host":"webdbprd"},{"hostid": .... 

      When I call the API using the same token, but using the `auth`-parameter, it works like it should be:

      curl --request POST --url 'http://zabbixserver/api_jsonrpc.php' --header 'Content-Type: application/json' --data '{"jsonrpc": "2.0","method": "host.get","params": {"output": ["hostid","host"]},"id": 2,"auth": "5488f5b22f4ec4d028596deecc90d41a7bd26076f818f2d3f5be9596ce1a5da9"}' 

      I get:

      {"jsonrpc":"2.0","result":[{"hostid":"14195","host":"icos"},{"hostid":"14207","host":"webdbprd"},{"hostid": ....  

      So it seems the new authentication method using an authentication bearer, just does not work.

      Note that this is tested on an installation, migrated from Zabbix 6.2.9. If it works on a vanilla installation, this may be a migration bug? I did not test on a vanilla installation.

            martins-v Martins Valkovskis
            robinr Robin Roevens
            Team A
            10 Vote for this issue
            17 Start watching this issue