Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Authorizer causes 401 failure from browser/curl #11

Open
zhammer opened this issue Mar 7, 2018 · 1 comment
Open

Custom Authorizer causes 401 failure from browser/curl #11

zhammer opened this issue Mar 7, 2018 · 1 comment

Comments

@zhammer
Copy link

zhammer commented Mar 7, 2018
edited

I cannot connect to /user-profile after setting up my custom authorizer. All requests from browser or curl result in 401 HTTP failure. API Gateway logs are not verbose enough to diagnose the issue. I've disabled caching and have tweaked parts of the config to see if I can get the request through but have not had any luck.

Oddly, testing the custom authorizer directly through the AWS console test tool works. In this case, the custom-authorizer is invoked and the request is authorized. However, on requests from browsers or cURL, the custom-authorizer lambda is never invoked (as per my checking the logs).

Would appreciate some help on this. Has been a big blocker for moving forward in this book. Here's a thread on the aws forums discussing the issue, but no solution has been posted: https://forums.aws.amazon.com/thread.jspa?threadID=264196.

Browser OPTIONS request (succeeds)

-General-
Request URL:https://0x24uh9sqk.execute-api.us-east-1.amazonaws.com/dev/user-profile
Request Method:OPTIONS
Status Code:200 
Remote Address:13.33.74.102:443
Referrer Policy:no-referrer-when-downgrade

-Response Headers-
access-control-allow-headers:Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
access-control-allow-methods:GET,OPTIONS
access-control-allow-origin:*
content-length:0
content-type:application/json
date:Wed, 07 Mar 2018 16:09:03 GMT
status:200
via:1.1 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront)
x-amz-cf-id:ts3K2BoHctXUz_sjCNvWa-dmqjPclPio4XoqkNam-ynxGAIQu5LtMA==
x-amzn-requestid:db18a291-2221-11e8-bc27-f7bd3aa6dba6
x-cache:Miss from cloudfront

-Request Headers-
:authority:0x24uh9sqk.execute-api.us-east-1.amazonaws.com
:method:OPTIONS
:path:/dev/user-profile
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, br
accept-language:en
access-control-request-headers:authorization
access-control-request-method:GET
origin:http://127.0.0.1:8100
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

Browser GET request (fails 401)

-General-
Request URL:https://0x24uh9sqk.execute-api.us-east-1.amazonaws.com/dev/user-profile
Request Method:GET
Status Code:401 
Remote Address:13.33.74.102:443
Referrer Policy:no-referrer-when-downgrade

-Response Headers-
content-length:26
content-type:application/json
date:Wed, 07 Mar 2018 16:09:04 GMT
status:401
via:1.1 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront)
x-amz-cf-id:hqwVmcSV4AIzqEVAWtKkzBMX1PoflDjtTrw25BjzAoCoIlodr_QAgQ==
x-amzn-errortype:UnauthorizedException
x-amzn-requestid:db1c7368-2221-11e8-824f-8ba7016060e7
x-cache:Error from cloudfront

-Request Headers-
:authority:0x24uh9sqk.execute-api.us-east-1.amazonaws.com
:method:GET
:path:/dev/user-profile
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, br
accept-language:en
authorization:Bearer ***mUuZ
origin:http://127.0.0.1:8100
referer:http://127.0.0.1:8100/
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

AWS test authorizer (policy)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "execute-api:Invoke",
      "Effect": "allow",
      "Resource": "arn:aws:execute-api:us-east-1:550212734867:0x24uh9sqk/null/GET/"
    }
  ]
}

AWS test authorizer (log)

Execution log for request test-request
Wed Mar 07 16:09:34 UTC 2018 : Starting authorizer: pylynn for request: test-request
Wed Mar 07 16:09:34 UTC 2018 : Incoming identity: ***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************cQmUuZ
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request URI: https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:550212734867:function:custom-authorizer/invocations
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*******************************************************************************************************************************************************************************************************************************************************************************************************a1ca47, X-Amz-Date=20180307T160934Z, x-amzn-apigateway-api-id=0x24uh9sqk, Accept=application/json, User-Agent=AmazonAPIGateway_0x24uh9sqk, X-Amz-Security-Token=AgoGb3JpZ2luEJz//////////wEaCXVzLWVhc3QtMSKAAgVCzhSjc2yH1LAC67+VR4mSHlNUTmV4z3f6Qr7A5hbVGMRWtZPkB3/XyipQm/YSGgcvQA/gwaBr029TbREln3wpmIKjws4pj7N40XHfyhb+5erPbj3NzPmKv4B0EcaukgqebsdszNonVHJaY8xg3AvlQE5Y3gJJuGF/pj2ECBrgK6MI0v1TcOPyCXayH7VSiPXKyTtmGW6cPna3O0AF1uXmc7tNI+NpjIR//o3ZThPLVbvij/LpBLhx0gUh5/+vxrvvywRxIg9BqioBRKHBbJh2JWIueAXxgc4GNrhTVASjqH3vYKVg+UhK9iF+2PJ5trc1Z2J0419Anz4+egm6DC8qiQIIkf//////////ARAAGgw1NTAyMTI3MzQ4NjciDE+/m0P+MlN38lC14yrdAeOd2iAef+mb+2M0MfdVDwfCzr2AClG6U8MK [TRUNCATED]
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:us-east-1:550212734867:0x24uh9sqk/null/GET/","authorizationToken":"Bearer ****mUuZ"}
Wed Mar 07 16:09:34 UTC 2018 : Sending request to https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:550212734867:function:custom-authorizer/invocations
Wed Mar 07 16:09:35 UTC 2018 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"Version":"2012-10-17","Statement":[{"Action":"execute-api:Invoke","Effect":"allow","Resource":"arn:aws:execute-api:us-east-1:550212734867:0x24uh9sqk/null/GET/"}]}}
Wed Mar 07 16:09:35 UTC 2018 : Using valid authorizer policy for principal: **er
Wed Mar 07 16:09:35 UTC 2018 : Successfully completed authorizer execution

Logs from the browser requests:

Cloudwatch API Gateway OPTIONS log

(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Verifying Usage Plan for request: db18a291-2221-11e8-bc27-f7bd3aa6dba6. API Key: API Stage: 0x24uh9sqk/dev
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) API Key authorized because method 'OPTIONS /user-profile' does not require API Key. Request will not contribute to throttle or quota limits
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Usage Plan check succeeded for API Key and API Stage 0x24uh9sqk/dev
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Starting execution for request: db18a291-2221-11e8-bc27-f7bd3aa6dba6
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) HTTP Method: OPTIONS, Resource Path: /user-profile
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request path:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request query string:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request headers: {Accept=*/*, CloudFront-Viewer-Country=US, CloudFront-Forwarded-Proto=https, CloudFront-Is-Tablet-Viewer=false, origin=http://127.0.0.1:8100, CloudFront-Is-Mobile-Viewer=false, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36, X-Forwarded-Proto=https, CloudFront-Is-SmartTV-Viewer=false, Host=0x24uh9sqk.execute-api.us-east-1.amazonaws.com, Accept-Encoding=gzip, deflate, br, access-control-request-method=GET, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-5aa00e9f-ecf807d2e914908483ef1fc2, Via=2.0 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront), access-control-request-headers=authorization, X-Amz-Cf-Id=UwM4w5MyClZq-A1OG2eVO2zZl7vIWycdi9Oczf642w5TryQLNmP08A==, X-Forwarded-For=173.56.28.23, 52.46.46.89, Accept-Language=en, CloudFront-Is-Desktop-Viewer=true}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request body before transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Received response. Integration latency: 0 ms
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Endpoint response body before transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Endpoint response headers:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method response body after transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method response headers: {Access-Control-Allow-Origin=*, Access-Control-Allow-Methods=GET,OPTIONS, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Content-Type=application/json}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Successfully completed execution
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method completed with status: 200

Cloudwatch API Gateway GET log

(db1c7368-2221-11e8-824f-8ba7016060e7) Unauthorized request: db1c7368-2221-11e8-824f-8ba7016060e7
@zhammer
Copy link
Author

zhammer commented Mar 7, 2018

Created a thread on forums.aws.amazon.com: https://forums.aws.amazon.com/thread.jspa?threadID=275334.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhammer