Authorization header requires 'Credential' parameter

Asked 19/2, 2018 at 10:40 Answered 13/3 at 14:9

We are using Identity Server4 with .NET Core and deploy the application as AWS Serverless lambda function. When are calling the token endpoint to generated access token we got the following error message:

{
"message": "Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=Basic Y2xpZW50OnNlY3JldA=="

}

Here is our ConfigurationServices method in Identity Server application:

 public void ConfigureServices(IServiceCollection services)
    {
        services.AddSingleton<IConfiguration>(Configuration);

        //connection string
        string connectionString = Configuration.GetConnectionString("IdentityServer");

        var rsaProvider = new RSACryptoServiceProvider(2048);

        SecurityKey key = new RsaSecurityKey(rsaProvider);

        var credentials = new Microsoft.IdentityModel.Tokens.SigningCredentials
              (key, SecurityAlgorithms.RsaSha256Signature);


        var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

        services.AddIdentityServer()
           .AddSigningCredential(credentials)
            // this adds the config data from DB (clients, resources)
            .AddConfigurationStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
            }) // this adds the operational data from DB (codes, tokens, consents)
            .AddOperationalStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));

                // this enables automatic token cleanup. this is optional.
                 options.EnableTokenCleanup = true;
                 options.TokenCleanupInterval = 30;
            });

        // Add S3 to the ASP.NET Core dependency injection framework.
        services.AddAWSService<Amazon.S3.IAmazonS3>();
    }

Here is our client application that calling identity server's token endpoint to generate token:

[HttpGet]
    public async Task<IActionResult> Get(string client, string secret)
    {

        IActionResult result = null;

        //discover endpoints from metadata

        //var disco = await DiscoveryClient.GetAsync("http://localhost:3000/");

        var disco = await DiscoveryClient.GetAsync("hide for security reasons/");

        if (disco.IsError)
        {
            result = NotFound(disco.Error);

            return result;
        }
        //request token

        var tokenClient = new TokenClient(disco.TokenEndpoint, client, secret);

        var tokenResponse = await tokenClient.RequestClientCredentialsAsync(scope: "sup");

        if (tokenResponse.IsError)
        {
            result = NotFound(tokenResponse.Error);
        }

        result = Ok(tokenResponse.Json);

        return result;
    }

Prescription answered 19/2, 2018 at 10:40 Comment(2)

Do you have details of the raw request that was sent? – Spinifex 19/2, 2018 at 16:34

Hi @mackie, issue is fixed. Actually i deployed the lambda function as GET http method, but when we call token endpoint it is actually POST request. So when i changed the http method of lambda function, its working. :) – Prescription 19/2, 2018 at 17:8

141

Just in case someone else makes their way here, this happened to me because I had a typo in the path of my URL.

When I corrected my typo, everything worked for me.

Mini context: I was confused because I was using a Lambda authorizer for my API Gateway resource, and I didn't even see anything hitting the Cloudwatch logs for that Lambda.

Dorene answered 31/5, 2019 at 20:34 Comment(13)

for me it was because I forgot to deploy before curl'ing – Trinity 4/1, 2020 at 23:53

You're quite the savior Sir. – Arand 13/1, 2020 at 19:30

Well I made it here too looking for the same answer. Turns out it was my HTTP verb that was wrong, not the URL. For me later when I forget and google this again... – Podagra 21/5, 2020 at 0:10

Wish I would have searched for this two hours ago. So much for giving proper message by AWS :| – Augmentative 7/7, 2020 at 11:47

Reason for my mistake: api.example.com/stage/endpoint is not the URL to use. Instead, the correct URL is api.example.com/endpoint because the stage has been specified in the API mappings. My context is that I am using a custom domain name for my api gateway endpoint. – Defrayal 17/11, 2020 at 20:55

Is there a way to configure this error message? – Astronavigation 22/3, 2021 at 12:53

Me too! Missed a part of the base path. Hey AWS, how about a simple 404 next time, smh. – Crossgarnet 16/6, 2021 at 1:17

If like me none of the above is working make sure you have clicked Actions > Deploy in the API gateway resources panel – Pringle 7/10, 2021 at 10:59

you caught my mistake(i put the URL), thank you. this is a great hint. – Lattice 5/4, 2022 at 13:54

Honestly, why can't AWS API Gateway just send a normal 404 like every other service?! – Lysol 16/4, 2022 at 13:48

Many thanks! This answer saved me just in time before I ripped my API gateway out – Elder 13/1, 2023 at 10:50

I'm laughing my a off so so hard right now. OMG. Yup. I see the typo in my url as well. so dumb. – Concord 17/1 at 14:20

Thanks. Exactly it was my case. That too just because I used a new-line separator("\") without spacing to the end of endpoint url, that effectively joined the url to the rests of the request! Sigh! – During 28/6 at 0:0

The issue I was having was pasting the URL included newline character or some other invisible character mismatch

Hydrofoil answered 10/1, 2022 at 5:45 Comment(0)

I encountered this error while trying to curl an endpoint(*):

curl -XGET -u user:password <host-url>

The problem was that I passed wrong credentials.

(*) Side note: I tried to search my Elasticsearch cluster hosted on AWS.

Linus answered 17/10, 2020 at 12:35 Comment(0)

In my case, i figured out that the URL path is case sensitive in AWS API Gateway.

Hope this answer helps someone stuck in this problem, like me.

Rusk answered 9/2, 2023 at 17:44 Comment(0)

I recently encountered this same issue! I had configured a Lambda function and connected it to a route (resource) in the API Gateway. However, since my request had a header parameter called "Authorization", I ran into problems ("Authorization header requires 'Credential' parameter") when I tried to hit the route generated by the API Gateway (api.gateway.UrlExample.com/stage/endpoint).

Here's how I solved it: In the AWS console, within the API Gateway's resource screen:

Select the resource that's causing the problem.
Go to the "Integration Request" tab.
Click on Edit.
Enable the checkbox for "Lambda Proxy Integration", and you're all set!

Wait for a couple of minutes and try making the request again!

Argonaut answered 29/9, 2023 at 13:14 Comment(0)

In my case, I forgot to configure authentication in the API Gateway. I updated my API using the Amplify CLI, but it overrode some configurations, such as authentication. After configuring authentication in the API Gateway, it worked well.

Lobeline answered 13/3 at 14:9 Comment(0)

-1

If you are using postman to hit an API Gateway endpoint. you might get this error in postman. it will occur specially when you try to pass id token or access token.

so to fix this you need to sign your request using AWS-Amplify.

Technical answered 28/7, 2023 at 15:42 Comment(0)

Recommended topics

Hot tags