Unable to POST with OAuth1 Authentication

  • Goal: POST data to NetSuite's REST API using OAuth1 authentication

  • Steps: I've configured the API as a resource in our account and provided all the needed variables for OAuth1 authentication to work.

  • Details: I confirmed the auth works by making a number of GET requests to the API, but when I try to do a POST request, I get a 401 Unauthorized error. I've tried the exact same request in Postman, with the same credentials and payload, and it is successful, so it isn't a permissions issue.
    I can't do much else by way of debugging, but it would seem like there might be an issue with the way Retool generates the signature base string which would change based on the method. I've seen some references to the order of the values in the auth header, but again, the fact that it works for GET but not POST makes that seem less likely to be the issue.

1 Like

Can you share some screenshot of your resource config and query? (Feel free to scrub any sensitive information from the screenshot)

Sure, though there really isn't much to it, it's all environment vars.

I tested it using webhook.site and everything looked right, but NetSuite says invalid login attempt no matter what when issuing a POST call. Particularly strange because GET works, so something in the creation of the Auth string is breaking when it's a post, and the only thing I can find that changes is the signature base string.

I have a temporary workaround now where I've created a second resource with no authentication, I call that inside a function in my workflow and have implemented my own OAuth1 function to create the Authentication string. This allowed me to test more easily against Postman as well because I could control the nonce and timestamp to eventually get them to match. I don't love this because I've had to hardcode keys and secrets in my function and it's going to be harder to maintain, so I'm hoping it just helps figure where the problem is and how to correct it.

there are a couple of things I've found. First, I've found this post from @kabirdis stating that Oauth1 currently doesn't support user-based authentication (Nov 22 - Pass xml data to rest api - #2 by Kabirdas).

The OAuth 1.0 flow we offer doesn't support user-based authentication at the moment. A couple other members of the team have been investigating this particular connection with etrade and, unfortunately, we don't have a working solution. It is something the dev team will take a look at and we can let you know here when it's included!

I remember reading somewhere that some requests are sent sandboxed from a different server resulting in different origin addresses and XSS errors? Otherwise the only other thing I could find is a stackoverflow topic where OP was getting this error in Postman, which you actually have working but there were a couple replies that I thought could be relevant (postman - Getting 401 from Netsuite REST API - Stack Overflow)

  • realm (your account id, if using a sandbox, make sure the realm looks like 1234567_SB1, with an _ and not a -)

...For me, the role I was assigned to did not have permissions to Rest Web Services in Netsuite.

Appreciate you looking into this! I came across all of those posts as well but they all differed from my situation a little bit. As you pointed out, I can get it to work in Postman, and the particularly confusing part is that I can get GET requests to work in Retool, it's just POST requests that don't. That lead me to believe it could be either a permissions issue, or an auth header issue. I ruled out permissions because the same credentials are working in Postman.

So at the moment I can only assume it's the way Retool is creating the Auth header for the POST requests since the method is part of the signature base string, which is used to generate the oauth_signature part of the header. I can't intercept/override the request to test by modifying the none or timestamp though, so I think I need someone from Retool to dig into this more if it's going to get solved.

If anyone else runs into this, my workaround has been to manually create a function to generate the header and call the API. I used a Retool resource for this with no auth, but I might swap it out for a pure fetch call because you can't set the method dynamically when calling a resource, and you need to know the method to generate the appropriate auth header.

2 Likes

I have the exact same problem. GET requests to NetSuite work from Retool, both GET and POST requests working from Postman, POST requests failing from Retool with 401 Unauthorized