I have successfully deployed a Policy for JWT authentication and it is indeed returning 401 for missing tokens on the path I've included. But for valid tokens it still returns a 401. I have created the JWKS endpoint and matched up the issuer. I also confirmed the tokens work with the keys from the jwks endpoint outside the cluster.
I just have no visibility into why it might be failing. I have tried the envoy (istio-proxy) logs, but they are just basic access logs. I can see the 401 there, but no more details around what was attempted and why it failed to verify the token.
What else can I do to debug this?
Related
According to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding, we are verifying the JWT claims for an AWS ALB by calling https://public-keys.auth.elb.$region.amazonaws.com/$key-id, but for some reason that always gives a 401 User not authorized -error. The region is set to be the same as the ALB, and the $key-id is taken from the JWT header (kid).
ALB is configured to authenticate using Okta OIDC and then forward to internal EC2/EKS boxes. The JWT payload is correct. What could cause the 401? Results in ssl handshake error while trying to access https://public-keys.auth.elb.$region.amazonaws.com/$key-id
According to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding verifying the JWT claims for an AWS ALB is a simple matter of calling https://public-keys.auth.elb.$region.amazonaws.com/$key-id, but for some reason that always gives a 403 Access Denied -error. The region is set to be the same as the ALB, and the $key-id is taken from the JWT header (kid). Calling from within AWS network or from local computer made no difference.
ALB is configured to authenticate using Okta OIDC and then forward to internal EC2/EKS boxes. The JWT payload is correct. What could cause the 403?
Are you using an org authorization server or a custom authorization server in Okta? (More info on Okta authorization servers here) JWT's minted by the org authorization server can't be verified locally. See this documentation
It seems AWS does not support JWT verification in the eu-north-1 region. Works fine elsewhere.
Thanks if anyone can help me. I am building a cognito user pool + API gateway solution in AWS. Now the configuration is done but the token is not working. Here is how I tested,
I used API endpoint
https://mydomain/login?response_type=token&client_id=5gjg8956um7bf2h5c3fuav1o46&redirect_uri=https://www.example.com
to get a token, here is the result.
https://www.example.com/#id_token=eyJraWQiOiJiTTcrSVlMUHBHVTBQK3FnTmkrMWxSeGFyNjRrb3hxYUluemptZllMTmZ3PSIsImFsZyI6IlJTMjU2In0.eyJhdF9oYXNoIjoiMmJXdHU5STVMQUJkQWFTSmM5S3ZtQSIsInN1YiI6ImYwNDk3NjgwLWJlNDEtNGNlZC1iMzQ4LWQ0NTg3M2Q5OTg2MSIsImF1ZCI6IjVnamc4OTU2dW03YmYyaDVjM2Z1YXYxbzQ2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV2ZW50X2lkIjoiODIyMWI3MjQtMzI5ZS00ZGJjLThjZjktZjhlMjY5NWFiNjkzIiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1OTM5MDg1MjEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5hcC1zb3V0aGVhc3QtMi5hbWF6b25hd3MuY29tXC9hcC1zb3V0aGVhc3QtMl9Qa1ROR1RPNzIiLCJjb2duaXRvOnVzZXJuYW1lIjoiZjA0OTc2ODAtYmU0MS00Y2VkLWIzNDgtZDQ1ODczZDk5ODYxIiwiZXhwIjoxNTkzOTEyMTIxLCJpYXQiOjE1OTM5MDg1MjEsImVtYWlsIjoicWlhby5saUBob2xtZXNnbGVuLmVkdS5hdSJ9.lkTA49l_EQpWnhiLnKdbBR1anA0H4psFwEEBJuWgwQ6Iwg_GVZgvl3Sf0_p8OF-_vgRvcGbg1uI7nJdcTBs5EAcLV75AKfglQT7UjWXQtv10D7lh86sLNmIuLWRcJDV-8iCNSlHeFqJnBcskEH4yTXJI03s7Ikp9ZVZiNDW-wZzt6fW3n1SEtfN57sV4xvknByJBqswwUv07vL3URGk60MLMfLex16vVijBVHOhvMwWByEOpvWFMH3jY0NrGjx9ty5U4I-Bq1OvwJlR5SGPz2OjiPMdXnGM8eA-E8AUHjY8VtFIW4Ec6d74axlw7qMIayUHL8UaNMKKHSDM_giIpMg&access_token=eyJraWQiOiIxOEpWY2hGcWowQndhNjkxdUFlWW5IVThxdWdaWVhxOW9FaGFZNUd3cGtZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmMDQ5NzY4MC1iZTQxLTRjZWQtYjM0OC1kNDU4NzNkOTk4NjEiLCJldmVudF9pZCI6IjgyMjFiNzI0LTMyOWUtNGRiYy04Y2Y5LWY4ZTI2OTVhYjY5MyIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoicGhvbmUgb3BlbmlkIHByb2ZpbGUgZW1haWwiLCJhdXRoX3RpbWUiOjE1OTM5MDg1MjEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5hcC1zb3V0aGVhc3QtMi5hbWF6b25hd3MuY29tXC9hcC1zb3V0aGVhc3QtMl9Qa1ROR1RPNzIiLCJleHAiOjE1OTM5MTIxMjEsImlhdCI6MTU5MzkwODUyMSwidmVyc2lvbiI6MiwianRpIjoiMjVkM2MzMTYtNDNkMS00OTY5LTg3YTQtOTkxNWE3YzE0Y2FiIiwiY2xpZW50X2lkIjoiNWdqZzg5NTZ1bTdiZjJoNWMzZnVhdjFvNDYiLCJ1c2VybmFtZSI6ImYwNDk3NjgwLWJlNDEtNGNlZC1iMzQ4LWQ0NTg3M2Q5OTg2MSJ9.J0j9jZFzEG8gjowipZdJ_O_uXUKP5Jyk5PrZvWf5yVZ4jbdoJpgom3IcxFcaDvXbTkB_NNx9soq8Prc-whpYrjQ9RxDTd3Fb6ZyDOXhRaVQAmQSnagVr0_jPhH9Bw4_AS_4jNy4t27yDufpOnEgNWQW1sy96zpuaLFHJYAQblaJCxt_qbf_KETRDCil8ap63XUbAElaCvnSRrIGCcXmVOPChUMDSHVDu4CoMm9cgRQvj-kWFKP96YEO62tFa4_gZk1CICvjFEi7VCH0tvN9JVe8baSHm2GL1jaTeoUeE0jmGPGxGc-7fDBY37JjPbnPiHDZlm3D8eGE1AhO5qI3rng&expires_in=3600&token_type=Bearer
I verified the token on https://jwt.io/ and it is decodable. However, when trying to test the token in test tool in API gateway Authorizer, I got a 401 error.
Also, I tried to post the request in Postman as well and the result is also 401, with the following result.
{
"message": "Unauthorized"
}
My take is that if I can get a token through the endpoint, the token must be correct, right? How can I troubleshoot? thanks
Now I used the "wild rydes" app to sign in for a token, and the token will pass the Authorizer test in API gateway, also Postman API call is working.
Still, the token generated by "Hosted UI" in the Cognito does not work, as in the original question.
The Cognito authorizer on your API Gateway will accept either the ID token or Access token, depending if you specified an OAUTH scope to the API Gateway method when adding the authorization.
The Authorizer test on API Gateway will only accept the ID token. So I would suggest checking that you are getting a token from the correct Cognito UserPool that matches your API Gateway Cognito authorizer and then check your API Gateway method to see if you specified an OAUTH scope. If specified a scope, this scope will need to be in the Access token sent to API Gateway. If no scope specified, send the ID token.
the issuer in the tokens from google is: "accounts.google.com"
but the jwt-authorizer config requires an issuer url with "https://" in front
That means the google tokens never be accepted by the authorizer since the token iss claim is missing: https
Any one solved this?
if using some of the legacy oauth flow to authorize your app. you may get a token with the issuer above, make sure to use the OIDC config:
https://accounts.google.com/.well-known/openid-configuration
Then the issuer in the id-token should match the format required by AWS JWT-Authorizer (and specified in the OIDC spec ).
I have a Serverless backend that implements AWS_IAM authorizer using the serverless framework.
My client is a React application. I am using AWS Cognito to authenticate users and AWS Federated Identities to retrieve temporary credentials for the user.
The user is assuming an IAM Role that has APIGatewayInvokeFullAccess policy attached. I then sign my request using aws4 and make my request using Axios.
To my understanding, I am doing everything right. But, I am still receiving a 403 error on my client request. I even logged the tokens that are being retrieved to the console and used those tokens in postman. When I use postman, the error message says "The security token included in the request is invalid". I have read every doc and tried every possible solution, but I am still unable to debug this error. Any help at all would be incredible.
I am following this guide for the application flow.