AWS API Gateway authentication error IncompleteSignatureException using JWT with Auth0

amazon-web-services jwt aws-api-gateway auth0
Ryan Rahlf picture Ryan Rahlf · May 18, 2016 · Viewed 12.5k times · Source

Where I'm At

I'm currently working through setting up Auth0 delegated authentication for AWS API Gateway. I've followed the documentation and tutorials below with the exception that I have an app in place rather than their example apps:

https://auth0.com/docs/quickstart/spa/angular2/aws

https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/

https://auth0.com/docs/client-platforms/angular2

https://auth0.com/docs/integrations/aws-api-gateway/part-2

What is Working

  • Auth0 sign on from my Angular2 app is working correctly and I'm getting a token.
  • Auth0's AuthHttp component is attaching the bearer token to the Authenticate header when I call the AWS API Gateway.

What is Not Working

  • Status 403 response from AWS API Gateway indicating a Cloudfront IncompleteSignatureException; "Authentication header missing equal-sign".

The authentication header is 

Authentication: Bearer edJ0e...[I've truncated for brevity]

Could AWS be expecting a different type of authentication which uses key value pairs? How to I tell AWS API Gateway that it should be looking for a JWT?

Answer

Mark B picture Mark B · May 19, 2016

I'm guessing you have AWS_IAM authentication enabled for your API Gateway endpoint. You need to disable that if you aren't planning to use it. If you plan to use AWS_IAM authentication in addition to JWT then you will have to send the JWT token using a different field.

From part 5 of the Auth0 tutorial you linked:

The final step is to pass the JWT to the method from the browser client. The standard method is with an Authorization header as a bearer token, and you can use this method if you turn off IAM authorization and rely solely upon the OpenID token for authorization (you will also need to map the Authorization header into the event data passed to the AWS Lambda function). If you are using IAM, then the AWS API Gateway uses the Authorization header to contain the signature of the message, and you will break the authentication by inserting the JWT into this header. You could either add a custom header for the JWT, or put it into the body of the message. If you choose to use a custom header, you'll also need to do some mapping for the Integration Request of the POST method

Related questions

Permission denied (publickey) when SSH Access to Amazon EC2 instance

I want to use my Amazon ec2 instance but faced the following error: Permission denied (publickey). I have created my key pair and downloaded .pem file. Given: chmod 600 pem file. Then, this command ssh -i /home/kashif/serverkey.pem ubuntu@…

Read More
Trying to SSH into an Amazon Ec2 instance - permission error

This is probably a stupidly simple question to some :) I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in. When I tried to ssh with: ssh …

Read More
Downloading an entire S3 bucket?

I noticed that there doesn't seem to be an option to download an entire S3 bucket from the AWS Management Console. Is there an easy way to grab everything in one of my buckets? I was thinking about making the …

Read More