Cross-site request forgery and IBM Connections Micro Blog

I was helping a fellow developer with creating entries for a community’s IBM Connections Microblog.  He was using IBM Connections Cloud and IBM Connections 5.0 and higher.

In the IBM Connections, there is some advanced support for requests which come from third party domains to protect against Cross-site Request Forgery and Replay Attacks.

You can make a POST request to https://apps.na.collabserv.com/connections/opensocial/rest/ublog/urn:lsid:lconn.ibm.com:communities.community:{communityId}/@all and get an HTTP 403 response forbidden (even if a GET works with the same Bearer or Basic HTTP Authorization header. 

If you run into this issue, you should add the X-Update-Nonce header to your request.  You can get the Nonce value from the http://apps.na.collabserv.com/files/basic/api/nonce .

The request will now work and return a 201 Content Created.

Simple workaround, and handy to know for ActivityStreams and the Microblog.

3 thoughts on “Cross-site request forgery and IBM Connections Micro Blog”

  1. I added this to my code, but still the 403 is returned.

    I am using oauth, don’t have basic authentication, or should I use appKey and appSecret as credentials for basic authentication?

    1. can you add me the community you are using? and send me the method / parameters you are using for the post? (email is probably preferred for that part)

Leave a Reply

Your email address will not be published. Required fields are marked *