AWS API Gateway Websocket - Chrome: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received

Question

I'm trying to use AWS API Gateway's WebSocket functionality for communication with my Angular Application. As per enterprise requirement, It is required for me to secure my WebSocket endpoint with an OAuth token.

I have written an custom OAuth authorizer for validating OAuth token.

This Custom authorizer is working fine with my REST endpoints.

As per my understanding, browsers cannot support custom headers for WebSocket (HTTP headers in Websockets client API).

So as to bypass this limitation, I am using Sec-WebSocket-Protocol header for passing my OAuth token for authentication purpose.

(Query string based authentication might not work for me as, I would exceed the URL string limitations)

I have configured my API Gateway's configuration to accept Sec-WebSocket-Protocol as authentication header & everything seems to be working fine with WSCAT utility.

When I am integrating this endpoint with my Angular Client using RxJS (https://rxjs-dev.firebaseapp.com/api/webSocket/webSocket) this entire solution works fine in FireFox & Edge Browser, But Chrome throws an Handshake exception i.e.

WebSocket connection to 'wss://xxxx.com/' failed: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received

Request Headers:

GET wss://xxxx.com/ HTTP/1.1
Host: xxxx.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: http://localhost:4200
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Sec-WebSocket-Key: asdf
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Sec-WebSocket-Protocol: asdf

Response Headers:

HTTP/1.1 101 Switching Protocols
Connection: upgrade
Date: Tue, 11 Jun 2019 06:15:43 GMT
upgrade: websocket
sec-websocket-accept: asdf
sec-websocket-extensions: permessage-deflate
X-Cache: Miss from cloudfront
Via: 1.1 asdf
X-Amz-Cf-Pop: BOM51
X-Amz-Cf-Id: asdf

This seems strange, Switching Protocols should be the response of HTTP request not the wss request. HTTP request upgrade to ws. — James Dean, Jun 12 '19 at 12:26
Yes, I also felt the same way. But, strangely it feels like AWS Websocket is still not reliable enough for production ready deployments. — Srujal Kachhela, Jun 12 '19 at 18:36
I've never seen a problem with aws websocket, I think it's something wrong with the test. — James Dean, Jun 12 '19 at 18:51
I guess this is definately a bug, in AWS WebSocket https://forums.aws.amazon.com/thread.jspa?messageID=883536&tstart=0 — Srujal Kachhela, Jun 12 '19 at 19:00

score 0 · Accepted Answer · answered Jun 29 '19 at 13:35

0

This is a long-standing bug in AWS WebSocket API

https://forums.aws.amazon.com/thread.jspa?messageID=883536&tstart=0

answered Jun 29 '19 at 13:35

Srujal Kachhela

209
1
4
15

Link is not functional any more. – Donal Fellows Dec 05 '22 at 15:27

score 0 · Answer 2 · answered Jun 17 '20 at 08:37

0

Happy to report this has now been added to API-Gateway, so now you need to update your Lambda function to return the correct Sec-WebSocket-Protocol header: https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-connect-route-subprotocol.html

answered Jun 17 '20 at 08:37

jdrydn

50
1
4

It's possible to add this kind of return after and authorizer method on $connect ? – Clément Jul 16 '20 at 13:32

AWS API Gateway Websocket - Chrome: Error during WebSocket handshake: Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received

2 Answers2