JWT API gateway getting "not a valid key=value pair (missing equal-sign) in Authorization header"

[suibinz]

My scenario is a simple API gateway to talk to DDB. Cognito is use to authenticate users. With authorization disable, everything works fine.

I use this quick start to get a JWT token and connect to my user pool. That works fine. The ID token can be verified with API Gateway Authorizer. But if I use the token to "curl -H "Authorizer Bearer [token]" for a simple GET, I am getting:

{message: "...not a valid key=value pair (missing equal-sign) in Authorization header..."

Questions are in a few folds: 1) some forums vaguely indicate that being an issue with CloudFront handling http header and it is not a feature supported by CF - that can not be true, can it - it is a simple common use case? 2) interestingly, if I use the api gateway builtin "Test", (Request Method being set with Authorizer), it seems that the test is not going through the Cognito Authorizer - i.e. without passing the token, I am still getting the 200 response. Why is that? 3) which JWT token (access or id) should be used for Cognito?

[vbudilov]

I'm not sure what exactly is happening, but I created another quickstart that will help you out: https://github.com/awslabs/serverless-photo-recognition

Run the setup script -- that will create everything (the Cognito UP, API Gateway, etc). It will also print out the curl command that you can use with a sample user that's auto-created (the curl is hitting the API Gateway endpoint, with the JWT ID token).

Try it out.

[suibinz]

This issue does seems to be originated from CloudFront. Here is the returned header: content-length →1872 content-type →application/json date →Fri, 10 Mar 2017 03:55:31 GMT status →403 via →1.1 69ecfaf49062e67077b5f6c4aaf1881f.cloudfront.net (CloudFront) x-amz-cf-id →Q4hNxFePguPJzH0sSsGnLpk8QRvqkVpqwyji7vo2HvG08KNOfRNMzQ== x-amzn-errortype →IncompleteSignatureException x-amzn-requestid →68133183-0545-11e7-9b51-cb715f7a3e96 x-cache →Error from cloudfront

Question is how to get around it - not sure!

[vbudilov]

Have you tried setting up the serverless-photo-recognition project and running the curl command the the setup script creates?

[suibinz]

I have not try the new lab. But the fundamental question is how to use Author token to authenticate to API gateway. Either I am not using it right ( putting the token as Authorization Bearer in the header), or AWS is not supporting it.

Will look into the new lab soon.

On Mar 9, 2017 7:58 PM, "Vladimir Budilov" notifications@github.com wrote:

Have you tried setting up the serverless-photo-recognition?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/awslabs/aws-cognito-angular2-quickstart/issues/50#issuecomment-285567214, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQ4gwlKVOPqxP4ZfnsKzsibKhY3964_ks5rkMp6gaJpZM4MYVxN .

[vbudilov]

The serverless-photo-recognition project creates all of the resources for you, including Cognito and API Gateway, and generates a curl command for you. So once you run the setup script you will get your answer -- it cannot get better than that :)

[bedge]

Close enough for a piggyback question (apologies for the misuse in advance) I have this same question, minus the cognito component.

I see that the sample @vbudilov created uses:

aws cognito-idp admin-initiate-auth  --user-pool-id us-east-1_AEzYFK4mc --client-id 734810igh3bfdj4n33tfm9o08s --cli-input-json file:///tmp/authflow.json --query AuthenticationResult.IdToken --output text

to generate the auth header, which is what I need in a literal format.

My test was:

%> curl -X PUT -H "Authorization: Bearer: blah.blargh.foo"   "https://<url>?params"

and I'm seeing the same message:

{message: "...not a valid key=value pair (missing equal-sign) in Authorization header..."

[antonfelich]

@bedge did you ever get a solution to this? I'm having the same problem. As a side note it works perfectly using the TEST feature in the AWS Console, but passing the exact same headers with Curl and/or Postman results in "not a valid key=value pair"

[bedge]

No, sorry, I never did resolve this. Got shelved for now. I'm still interested in a solution.

[suibinz]

Neither did I. There were some issue point to CloudFront, but I never got down to dig deeper.

On Wed, Aug 16, 2017 at 5:06 PM, Bruce Edge notifications@github.com wrote:

No, sorry, I never did resolve this. Got shelved for now. I'm still interested in a solution.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/awslabs/aws-cognito-angular2-quickstart/issues/50#issuecomment-322932717, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQ4g3o9cSoJeQ-lSwq5JS-804h1LS9cks5sY4QjgaJpZM4MYVxN .

[cqcmdwym]

I am facing the same problem now. Keep an eye on this thread

[kazimanzurrashid]

This issue exists in api-gateway http delete regardless you use cognito or custom api-gateway authorizer.

[aaronjameslang]

I forgot to deploy my api, try that? apigw needs some serious ux

[vitorreis]

Hey guys, I've seen this issue in one of my apis, in my case it was because I forgot to create a resource with a path variable. In my case was try to access https://my-api-gateway/my-stage/users/123 and my api gateway a had the following setup:

/ (root)
  /users (resource)
    - method (GET)

After I edited my api gateway in the following way the problem was solved:

/ (root)
  /users (resource)
    /{id} (resource)
      - method (GET)

[crwgregory]

This is also true if you have a /{proxy+} set up. Make sure you are calling https://my-api-gateway/my-stage/something The something will map the request into the proxy. Calling https://my-api-gateway/my-stage/ will not.

[hchoriq]

Just want to leave a note here for the next person; same issue as other posters. I accidentally added a trailing slash in my request, which did not exist in serverless.yml :(

[liath]

Also worth noting that API Gateway is case-sensitive and will return this error when the paths case doesn't match. It will also throw this when the method (GET, POST, etc) is not defined on the API.

[benhutchins]

I'd also like to add a note here… I had a similar issue, turned out when I copied the Access key ID from AWS Console I somehow got a newline at the start. When I pasted that into my secrets store, it saved it with a newline. Took me awhile to figure that out, but it was adding a \n to the Access key ID being used in requests and it resulted in IncompleteSignatureException: '…' not a valid key=value pair (missing equal-sign) in Authorization header error message.

[matthart-com]

That error will return for any invalid endpoints. So if your endpoint is e.g. /users/{userid} and you try to use /users you'll get the error. You'll get it for anything that doesn't exist, so /monkeys will also return that error.

I'm trying to figure out how to get a 400 Bad Request instead of the auth header error.

[liath]

@matthart-com It's not pretty but you can set Gateway Responses → Missing Authentication Token to return that.

[sravimohan]

I was getting the same error message when using "{proxy+}" in my path.

Turns out when doing this, you also need to add a root path.

viz.,

Type: AWS::Serverless::Function
     Properties:
        Events:
          ProxyResource:
            Type: Api
            Properties:
              RestApiId: ...
              Path: /{proxy+}
              Method: ANY
          RootResource:
            Type: Api
            Properties:
              RestApiId: ...
              Path: /
              Method: ANY

tagging @crwgregory