Happy Business Starts Here

Highlighted

Callout Notification Basic Authentication fails

Hello,

 

I've been trying to set up a couple of Callout Notifications from Zuora to the platform we are developing, which has proved successful up until the point we tried to enable "Callout Authentication" which from the documentation that by entering just Username/Password this would enable Basic Authentication.

 

I've tested the endpoint with the coresponding Username/Password manually through Postman (Chrome extension) and directly through cURL and it is succesful.

 

However it always responds with 401 Unauthorized when Zuora does a Callout, through some debuging it appears that Zuora isn't adding the Authentication header to the request? is this the expected behaviour?

I'd expect it to generate the standard Authentication header and be appended to the request.

 

Regards

-Andrew

2 REPLIES 2
Guru

Re: Callout Notification Basic Authentication fails

@andrewtownsend we had similar issues when we first started using callouts because our callout target was non standard (i.e. not RFC compliant) since we had developed it ourselves.

 

The key was that:

  1. Ensure that the callout endpoint is RFC 2617 compliant. Specifically, the callout must return a WWW-Authentication header for 401 status. 

Basically Zuora expects a compliant initial response from the callout target or it wont send the credentials to a server that is not "expecting" them.

 

For more details check out: https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Notifications/How_do_I_configure_callout...

 

Savvy Scholar

Re: Callout Notification Basic Authentication fails

I found out the hard way that when there is no suitable Authorization header, it is not sufficient to return

WWW-Authenticate: Basic

You must specify a realm (it really doesn't matter what it is, unless your authentication method cares).  Something like:

WWW-Authenticate: Basic realm="Any"

If you don't include the realm, the callout will not be re-sent with the basic auth header.