search

Colin-b / httpx_auth

Authentication classes to be used with httpx
MIT License
115 stars 26 forks source link

httpx_auth above v0.20.0 Results in a 403 Forbidden error on AWS API Gateway `execute-api` service with AWS Signature Version 4 auth #91

Open amruthvvkp opened 4 months ago

amruthvvkp commented 4 months ago

I am having an issue with myPython client making requests to an AWS API Gateway endpoint through HTTPX with HTTPX_AUTH AWS Signature Version 4. While version 0.19.0 of httpx_auth works correctly, any version above that results in a 403 Forbidden error.

The error message indicates that the AWS signature you are providing does not match what AWS is expecting. The message also helpfully provides the canonical string and string to sign that AWS generated based on your request.

The changelog for httpx_auth shows that between version 0.19.0 and 0.20.0 there was a significant overhaul of the AWS4Auth implementation to adhere more closely to the AWS documentation. This change may be the cause of the incompatibility you are experiencing.

HTTPx version: v0.27.0, HTTPx_AUTH version: ^v0.20.0 - Results in a 403 Forbidden error HTTPx version: v0.26.0, HTTPx_AUTH version: v0.19.0 - Works just fine

Snippet of the error 2024-04-12 16:51:02.768 | ERROR | Client error '403 Forbidden' for url 'https://xxxx' Response: {'message': "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/xxx\n\nhost:xxx\nx-amz-content-sha256:xxxxx\nx-amz-date:20240412T155102Z\nx-amz-security-token:xxxx\n\nhost;x-amz-content-sha256;x-amz-date;x-amz-security-token\nexxxxx'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\nxxxxxxxxx/<region>/execute-api/aws4_request\n262xxx'\n"} For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

I've tried including headers when making requests with httpx_auth v0.22.0 resulting into a similar error. I am calling the service execute-api on AWS API Gateway.

Colin-b commented 4 months ago

Hello @amruthvvkp

In order to spot what part is not generated properly, could you compare the expected AWS canonical string and string to sign to the one we generate?

You can put at breakpoint at the following line to see the relevant variables we generate: https://github.com/Colin-b/httpx_auth/blob/ffa0458db37f95e7a49c062594f9aa59171aeb17/httpx_auth/_aws.py#L90

Thanks again