x-amzn-ErrorType: IncompleteSignatureException

tommyHicks · September 22, 2023, 10:14am

Hey, I have a APIGW with a Cognito authoriser, endpoint works without the authoriser, when hitting / I get my Hello World! message, however, attaching the authoriser, I get a not a valid key=value pair (missing equal-sign) in Authorization header error, and inspecting the response headers:

x-amzn-ErrorType: IncompleteSignatureException```


Googling this error, it seems it could be related to a number of things, but I wanted to see if you guys have come across this before and maybe point me in the right direction.

johnRichardson · September 22, 2023, 10:32am

where are you seeing that error?

tommyHicks · September 22, 2023, 11:17am

In my response when calling my URL

tommyHicks · September 22, 2023, 12:00pm

https://xxx.execute-api.eu-west-2.amazonaws.com/xxx/

tommyHicks · September 22, 2023, 12:37pm

--header 'Authorization: Bearer xxxx'```

johnRichardson · September 22, 2023, 12:38pm

that probably points to an invalid bearer token being sent

tommyHicks · September 22, 2023, 12:48pm

So I’m using Postman and using the OAuth 2.0 Auth setting to generate a token, this loads up Cognito’s hosted UI where I login and then Postman uses that token, so I’m unsure how it can be incorrect?

tommyHicks · September 22, 2023, 1:25pm

The token itself also appears to be valid.

johnRichardson · September 22, 2023, 1:31pm

how do you know the token is valid?

tommyHicks · September 22, 2023, 2:03pm

Because it’s what AWS’s hosted UI provides (it also provides me with the correct information when decoding it).

johnRichardson · September 22, 2023, 2:52pm

let’s validate that assumption, try out https://jwt.io/ and let me know if it tells you if it is valid

tommyHicks · September 22, 2023, 3:41pm

Yea, that’s what I did and it’s valid:

  "sub": "fa075e19-dage-4r82-1ab1-52d2c5f5f7ed",
  "iss": "<https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_xxxx>",
  "version": 2,
  "client_id": "xxxx",
  "event_id": "d29f5fbd-07e2-4b0e-9f1c-bab295f7e34x",
  "token_use": "access",
  "scope": "openid email",
  "auth_time": 1690305370,
  "exp": 1690308970,
  "iat": 1690305370,
  "jti": "61fbff83-45fe-4448-b315-47cde7e2d466",
  "username": "fa075e19-dage-4r82-1ab1-52d2c5f5f7ed"
}```

johnRichardson · September 22, 2023, 4:09pm

sounds like you might need to file a support ticket

tommyHicks · September 22, 2023, 4:30pm

Strangely :

<https://xxx.execute-api.eu-west-2.amazonaws.com/xxx/account> works (if I configure the Lambda code to accept /account.

but
<https://xxx.execute-api.eu-west-2.amazonaws.com/xxx> doesn’t work and I get that same error.

It’s like it doesn’t work at root level for some reason

johnRichardson · September 22, 2023, 5:11pm

should it work at the top level?

johnRichardson · September 22, 2023, 5:40pm

Do you have a / route defined in your api gateway?

tommyHicks · September 22, 2023, 6:20pm

or aleast the prefix /account set up in Gateway so I can call <http://api.mydomain.com/account|api.mydomain.com/account> in the future and it will load up the lambda.

johnRichardson · September 22, 2023, 6:36pm

and does throwing a trailing / on there work?

johnRichardson · September 22, 2023, 6:44pm

I’d be careful about testing the execute uri directly and directly start testing with the custom domain, there are definitely some gotchas with cognito

tommyHicks · September 22, 2023, 7:04pm

Nope, I tried the / but that also doesn’t work