We are using Identity Server4 with .NET Core and deploy the application as AWS Serverless lambda function. When are calling the token endpoint to generated access token we got the following error message:
{ "message": "Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=Basic Y2xpZW50OnNlY3JldA=="
}
Here is our ConfigurationServices method in Identity Server application:
public void ConfigureServices(IServiceCollection services) { services.AddSingleton<IConfiguration>(Configuration); //connection string string connectionString = Configuration.GetConnectionString("IdentityServer"); var rsaProvider = new RSACryptoServiceProvider(2048); SecurityKey key = new RsaSecurityKey(rsaProvider); var credentials = new Microsoft.IdentityModel.Tokens.SigningCredentials (key, SecurityAlgorithms.RsaSha256Signature); var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name; services.AddIdentityServer() .AddSigningCredential(credentials) // this adds the config data from DB (clients, resources) .AddConfigurationStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)); }) // this adds the operational data from DB (codes, tokens, consents) .AddOperationalStore(options => { options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)); // this enables automatic token cleanup. this is optional. options.EnableTokenCleanup = true; options.TokenCleanupInterval = 30; }); // Add S3 to the ASP.NET Core dependency injection framework. services.AddAWSService<Amazon.S3.IAmazonS3>(); }
Here is our client application that calling identity server's token endpoint to generate token:
[HttpGet] public async Task<IActionResult> Get(string client, string secret) { IActionResult result = null; //discover endpoints from metadata //var disco = await DiscoveryClient.GetAsync("http://localhost:3000/"); var disco = await DiscoveryClient.GetAsync("hide for security reasons/"); if (disco.IsError) { result = NotFound(disco.Error); return result; } //request token var tokenClient = new TokenClient(disco.TokenEndpoint, client, secret); var tokenResponse = await tokenClient.RequestClientCredentialsAsync(scope: "sup"); if (tokenResponse.IsError) { result = NotFound(tokenResponse.Error); } result = Ok(tokenResponse.Json); return result; }
It is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic, followed by a space and a base64-encoded(non-encrypted) string username: password. For example, to authorize as username / Pa$$w0rd the client would send.
The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.
For a Lambda authorizer of the REQUEST type, API Gateway passes request parameters to the authorizer Lambda function as part of the event object. The request parameters include headers, path parameters, query string parameters, stage variables, and some of request context variables.
Description. AWS4-HMAC-SHA256. The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication. The string specifies AWS Signature Version 4 ( AWS4 ) and the signing algorithm ( HMAC-SHA256 ).
Just in case someone else makes their way here, this happened to me because I had a typo in the path of my URL.
When I corrected my typo, everything worked for me.
Mini context: I was confused because I was using a Lambda authorizer for my API Gateway resource, and I didn't even see anything hitting the Cloudwatch logs for that Lambda.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With