httpx_auth icon indicating copy to clipboard operation
httpx_auth copied to clipboard

Published 20 hours ago verified publisher icon Colin-b

httpx_auth above v0.20.0 Results in a 403 Forbidden error on AWS API Gateway `execute-api` service with AWS Signature Version 4 auth

Open amruthvvkp opened this issue 1 year ago • 1 comments

I am having an issue with myPython client making requests to an AWS API Gateway endpoint through HTTPX with HTTPX_AUTH AWS Signature Version 4. While version 0.19.0 of httpx_auth works correctly, any version above that results in a 403 Forbidden error.

The error message indicates that the AWS signature you are providing does not match what AWS is expecting. The message also helpfully provides the canonical string and string to sign that AWS generated based on your request.

The changelog for httpx_auth shows that between version 0.19.0 and 0.20.0 there was a significant overhaul of the AWS4Auth implementation to adhere more closely to the AWS documentation. This change may be the cause of the incompatibility you are experiencing.

HTTPx version: v0.27.0, HTTPx_AUTH version: ^v0.20.0 - Results in a 403 Forbidden error HTTPx version: v0.26.0, HTTPx_AUTH version: v0.19.0 - Works just fine

Snippet of the error 2024-04-12 16:51:02.768 | ERROR | Client error '403 Forbidden' for url 'https://xxxx' Response: {'message': "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/xxx\n\nhost:xxx\nx-amz-content-sha256:xxxxx\nx-amz-date:20240412T155102Z\nx-amz-security-token:xxxx\n\nhost;x-amz-content-sha256;x-amz-date;x-amz-security-token\nexxxxx'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\nxxxxxxxxx/<region>/execute-api/aws4_request\n262xxx'\n"} For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

I've tried including headers when making requests with httpx_auth v0.22.0 resulting into a similar error. I am calling the service execute-api on AWS API Gateway.

amruthvvkp avatar Apr 12 '24 16:04 amruthvvkp

Hello @amruthvvkp

In order to spot what part is not generated properly, could you compare the expected AWS canonical string and string to sign to the one we generate?

You can put at breakpoint at the following line to see the relevant variables we generate: https://github.com/Colin-b/httpx_auth/blob/ffa0458db37f95e7a49c062594f9aa59171aeb17/httpx_auth/_aws.py#L90

Thanks again

Colin-b avatar Apr 12 '24 21:04 Colin-b

Since there was no reply and I noticed that httpx did some changes in URL encoding in 0.27.1, I assume upgrading httpx fixed the issue and it was on httpx side.

Colin-b avatar Sep 29 '24 18:09 Colin-b