Authorization header requires 'Credential' parameter

Question

We are using Identity Server4 with .NET Core and deploy the application as AWS Serverless lambda function. When are calling the token endpoint to generated access token we got the following error message:

{
"message": "Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=Basic Y2xpZW50OnNlY3JldA=="

}

Here is our ConfigurationServices method in Identity Server application:

 public void ConfigureServices(IServiceCollection services)
    {
        services.AddSingleton<IConfiguration>(Configuration);

        //connection string
        string connectionString = Configuration.GetConnectionString("IdentityServer");

        var rsaProvider = new RSACryptoServiceProvider(2048);

        SecurityKey key = new RsaSecurityKey(rsaProvider);

        var credentials = new Microsoft.IdentityModel.Tokens.SigningCredentials
              (key, SecurityAlgorithms.RsaSha256Signature);


        var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

        services.AddIdentityServer()
           .AddSigningCredential(credentials)
            // this adds the config data from DB (clients, resources)
            .AddConfigurationStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
            }) // this adds the operational data from DB (codes, tokens, consents)
            .AddOperationalStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));

                // this enables automatic token cleanup. this is optional.
                 options.EnableTokenCleanup = true;
                 options.TokenCleanupInterval = 30;
            });

        // Add S3 to the ASP.NET Core dependency injection framework.
        services.AddAWSService<Amazon.S3.IAmazonS3>();
    }

Here is our client application that calling identity server's token endpoint to generate token:

[HttpGet]
    public async Task<IActionResult> Get(string client, string secret)
    {

        IActionResult result = null;

        //discover endpoints from metadata

        //var disco = await DiscoveryClient.GetAsync("http://localhost:3000/");

        var disco = await DiscoveryClient.GetAsync("hide for security reasons/");

        if (disco.IsError)
        {
            result = NotFound(disco.Error);

            return result;
        }
        //request token

        var tokenClient = new TokenClient(disco.TokenEndpoint, client, secret);

        var tokenResponse = await tokenClient.RequestClientCredentialsAsync(scope: "sup");

        if (tokenResponse.IsError)
        {
            result = NotFound(tokenResponse.Error);
        }

        result = Ok(tokenResponse.Json);

        return result;
    }

Hi @mackie, issue is fixed. Actually i deployed the lambda function as GET http method, but when we call token endpoint it is actually POST request. So when i changed the http method of lambda function, its working. :) — Rakesh Kumar, Feb 19 '18 at 17:08

score 123 · Answer 1 · answered May 31 '19 at 20:34

123

Just in case someone else makes their way here, this happened to me because I had a typo in the path of my URL.

When I corrected my typo, everything worked for me.

Mini context: I was confused because I was using a Lambda authorizer for my API Gateway resource, and I didn't even see anything hitting the Cloudwatch logs for that Lambda.

answered May 31 '19 at 20:34

HeyWatchThis

21,241
6
33
41

4

for me it was because I forgot to deploy before curl'ing – AlleyOOP Jan 04 '20 at 23:53
5

You're quite the savior Sir. – Ericson Willians Jan 13 '20 at 19:30
5

Well I made it here too looking for the same answer. Turns out it was my HTTP verb that was wrong, not the URL. For me later when I forget and google this again... – MarkC May 21 '20 at 00:10
2

Wish I would have searched for this two hours ago. So much for giving proper message by AWS :| – Ganesh Satpute Jul 07 '20 at 11:47
7

Reason for my mistake: `api.example.com/stage/endpoint` is not the URL to use. Instead, the correct URL is `api.example.com/endpoint` because the stage has been specified in the API mappings. My context is that I am using a custom domain name for my api gateway endpoint. – Iching Chang Nov 17 '20 at 20:55
Is there a way to configure this error message? – Kishan Lal Mar 22 '21 at 12:53
2

Me too! Missed a part of the base path. Hey AWS, how about a simple 404 next time, smh. – Matthew Snyder Jun 16 '21 at 01:17
If like me none of the above is working make sure you have clicked Actions > Deploy in the API gateway resources panel – SimonBarker Oct 07 '21 at 10:59
you caught my mistake(i put the URL), thank you. this is a great hint. – Bhagvat Lande Apr 05 '22 at 13:54
1

Honestly, why can't AWS API Gateway just send a normal 404 like every other service?! – Simon Apr 16 '22 at 13:48
Many thanks! This answer saved me just in time before I ripped my API gateway out – Rapscallion Jan 13 '23 at 10:50

score 3 · Answer 2 · answered Jan 10 '22 at 05:45

3

The issue I was having was pasting the URL included newline character or some other invisible character mismatch

answered Jan 10 '22 at 05:45

Kiaan Edge-Ford

51
3

score 1 · Answer 3 · answered Oct 17 '20 at 12:35

1

I encountered this error while trying to curl an endpoint(*):

curl -XGET -u user:password <host-url>

The problem was that I passed wrong credentials.

(*) Side note: I tried to search my Elasticsearch cluster hosted on AWS.

answered Oct 17 '20 at 12:35

Rot-man

18,045
12
118
124

score 0 · Answer 4 · answered Feb 09 '23 at 17:44

0

In my case, i figured out that the URL path is case sensitive in AWS API Gateway.

Hope this answer helps someone stuck in this problem, like me.

answered Feb 09 '23 at 17:44

William Keller

1
3

score 0 · Answer 5 · answered Jul 28 '23 at 15:42

0

If you are using postman to hit an API Gateway endpoint. you might get this error in postman. it will occur specially when you try to pass id token or access token.

so to fix this you need to sign your request using AWS-Amplify.

answered Jul 28 '23 at 15:42

MUHAMMAD AZEEM

11
2

Authorization header requires 'Credential' parameter

5 Answers5