as the title already implies my RestAPI does not forward the user information of the authorized client to my lambda function. I tried with a rust lambda function (see the issue here), but it turned out, a nodejs implementation has the same problem. I have posted my cdk setup in the above issue and i bet there is a configuration mistake i made, but just cannot find.
I checked that you need to be authroized in the first place (which works, as the gateway returns "unauthorized" in that case). But whatever i tried so far, the context.identity field is always empty/null.
Any help appreciated!
Related
I'm creating an Axios call to an API hosted on APIGateway with no Authorizer etc. I'm able to access the lambda via a direct postman request and also on the service lambda when it's ran in offline mode, such as:
https://localhost:3000/my/api
However when i run it on the dev stage:
12345.execute-api.eu-west-1.amazonaws.com/my/api
I'm getting a a 403: Forbidden error thrown back.
I've seen comments from other posts where they needed to append the staging environment at the end of the request but this isn't the case in this instance as it's just creating a default endpoint and all other lambdas within this service can be hit when ran on dev, it's just this one that makes a call to another APIGateway API.
The calling API is behind an authorizer with a wildcard policy so should allow all traffic and I'd like to reiterate, it works on both localhost and a direct call to the invoked api.
I'm wondering if it's something to do with the policies attached to it but I've set them all to be wildcarded as well so it should allow everything.
Any ideas would be really helpful, I've been wracking my brains over this all day.
Edit: The authorizer has no policy denying access to the API, same as the resource policy.
There are two common reasons why an API Gateway REST API with a Lambda authorizer returns a 403 error:
The Lambda authorizer function returns an AWS Identity and Access Management (IAM) policy document that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
The second reason will be, The API has an attached resource policy that explicitly denies access to the caller.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
If both are in place, please update the question with those details.
I need to authenticate a webhook post from a third party integration on my backend api server. The only thing I can define is the endpoint url they will call. It can't be dynamic once they have to register and the process takes 3 days. And we use a multi-tenant solution, so we have to authenticate with different schema on every call.
So the problem is that I have to create a filter for this webhook, so I can authenticate it through a value contained in the json of a post body.
So I defined a WebSecurityConfigurerAdapter and added a AbstractPreAuthenticatedProcessingFilter so I can intercept the request, read the value in the json body authenticated with the appropriate credentials.
I follow this tutorial Reading HttpServletRequest Multiple Times in Spring so I could be able to read InputStream from the request without erase it.
So my question about it are two.
1: Is there a better/easy approach so I can archive this result?
2: I guess this tutorial are missing something, because I'm getting null pointer at servlet when try to read the request (again, after I have already read at the filter).
Any guess would be appreciated, thanks in advance.
Are we allowed to know which 3rd party service?
PayPal/Stripe for example have docs already to explain how to verify the data.
If you can add metadata/custom fields to the webhook, you could sign it for example.
As far as checking the signature/verifying it, why not do this in the #Contoller=>#Service?
been trying to figure this out forever, and I don't think it's supposed to be that complex...
I have an AzureAD setup with an OAuth2 Connection that I want to point to Cognito so that I can authenticate users in the User Pool, get a token back and call AppSync APIs, etc. Important note here, I cannot use Amplify in the current situation.
I have configured my App Client as follows:
The ngrok URLs are because I'm working on a cloud based app that needs tunneling. I have multiple URLs in there in the hope that I'd get one that works, to no avail.
To configure the OAuth2 Connection in Azure, I'm asked for 3 URLs,
authorize, token and refresh.
Here are the values I put into these fields
When I initiate the auth process with this connection, I get the redirect_mismatch error. I have no idea why. When I open the HostedUI, it shows up just fine, but it points to login instead of authorize. The redirect_uri, however, is localhost:3000/ as seen at the end of the address bar.
Clearly, I'm missing something, but I have no idea what. Should there be additional parameters in the config of my URLs on Azure's side? Anyone ever connected the two in this way? The company insists on this flow, and I just can't wrap my head around it.
Any and all help apreciated, thank you.
NOTE: There is a possibility to configure a custom OAuth2 connection on the side of Azure with more parameters, should this be the way? I do not, however, know what to put in these extra fields.
In the case of a Bot authentication, as it is the case in my situation, in Callback URLs, add the following:
https://token.botframework.com/.auth/web/redirect
This allows to open the authentication window when authenticating your bot.
The scenario is :
I have a Rest api gateway which when triggered invokes a lambda which processes the request and returns the repsonse.
This api endpoint is public.
I have another lambda which will call this API gateway/endpoint and obtain response from it.
Now the queries :
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
When I put the invoke url in browser address bar, it is giving missing authentication token.
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
Thanks 😊
Well, the questions are quite wide enough. I'm trying to answer as much as possible.
First, the design you are following of Rest API -> Lambda, it is called 'Integration Type' is 'Lambda function' and use 'Use Lambda Proxy integration'.
Please take a look on the documentation here and an example here
Go through the document I believe you will understand in-out of this model. At high level, this model API Gateway is passing through request and response and you (Lambda) will handle everything.
Question 1:
I am directly calling the invoke url of api just like any other api. So is this the right way to do so?
[Answer] There is nothing wrong with this model. And yes, you can call this API (Lambda proxy) as any Rest API.
Question 2:
When I put the invoke url in browser address bar, it is giving missing authentication token
[Answer] Please check the setting of your API. As the below screen-shot, my api is using Cognito as Authorizer. It means consumers need to provide 'Token' (oAuth2 for example) when calling the API. You can use either Lambda authorizer or Cognito authroizer. It's up to you.
And if you are not requiring any authorizer, you can set it as NONE so there is no authentication token require for your API.
In short, the message you are getting now it means your API is having an 'Authorizer' and you are not sending token along with request.
Question 3:
How to actually call the url in calling lambda, i mean how to pass tokens; in Node.js ?
It is pretty common. You can google it like 'oAuth2 in Node.js', it will give you tons of examples
https://resources.infosecinstitute.com/securing-web-apis-part-ii-creating-an-api-authenticated-with-oauth-2-in-node-js/
https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
I hope it helps. Otherwise, leave your comments and questions.
Thanks,
I am facing this error sometimes (not always). I create a resource and a method in an API Gateway function. Then I map it to a Lambda function. On testing it there itself, everything works fine.
Now I add a custom authorization function to the method. Now, if I test it there,
If I do not provide the Authorization header, it works (since it is not deployed yet. After deployment, it would require the Auth header)
If I, however, provide the Authorization token, I get the error:
The request signature we calculated does not match the signature you
provided. Check your AWS Secret Access Key and signing method. Consult
the service documentation for details.\n\nThe Canonical String for
this request should have
been\n'POST\n/2015-03-31/functions/arn%3Aaws%3Alambda%3Aus-eas
More details: The lambda function belonging to this method was deleted. Then I re-created the function with the same name. And noticed that the method was deleted when the API was deployed. So I re-created the mapping and mapped it to the Lambda function. Since, then I am facing this issue. I am sure if I change the name of the Lambda, it might fix the issue. But I think it's a bug with AWS and not at my end. Need to clarify if there is anything I am doing wrong ?
It looks like the currently deployed version of the API is forwarding the Authorization header from the method request to the integration request (Lambda). If you are trying to fix the current state of your API, then I suggest removing the Authorization header from the method request, which will also remove it from the integration request. This should fix the Lambda signature errors.
If you're trying to use the custom authorizer on a method, you don't need to set up the Authorization header in the method request. You just need to set the authorizer identity source as 'method.request.header.Authorization'