OpenID Authorisation can't handle "Bearer " in header value

[jaffacake]

I've just been trying out AppSync's authorisation setup for OpenID (using it with Auth0). However, I hit issues when testing because I couldn't get it to authenticate from Postman, but it was working from the AppSync Query console.

It took me a while to debug & monitoring the request the console was sending to realise that it was sending a different header value to Postman. Postman adds Bearer to most standard Authorisation standards.

At the moment, I've had to manually set a header, this is going to complicate our testing of the API as we can't use standard authorisation headers.

Can AppSync be changed to also handle a preceding Bearer in the authorisation header value?

[itrestian]

Thank you for the feedback. That is indeed the case as you mentioned. I will add this internally as a feature request.

[bhuvinth]

Also just to add a perspective. We have several microservices, where App sync is being used in one of them. Here all the other services use JWT tokens with "Bearer" prepended, But this doesn't work with AppSync. This forces the calling layers to do ugly tricks. My goal is to add more weightage to the feature request.

Also, I would be happy to contribute to it. (I would need to some basic guidelines over how is the project structured etc.)

[danieljack2]

Is there any update on this? We have hit this problem as well and is going to cause us quite a few headaches as we do not control the clients that will be calling our API.

[maciej-jarosiewicz-kaluza]

Could this behaviour at least be explicitly mentioned in the documentation until it gets resolved? That'd save hours of confusion for many developers trying to make their API calls work.

[EmiiFont]

Any news about this?

[sonphnt]

We have the same issue from Event Bridge - Api Destination (always call with Bearer) to Appsync

[cevatkerim]

How is this marked as an enhancement as it's clearly broken? Your EventBridge service does not work with AppSync because it's broken. You expect people to crawl through github issues to find resolution only to find this 'issue' listed as an enhancement. Well done...

[csgyuri]

I have run into the same issue. I have interceptors set up by default that inject Authorization header value on Angular side and this works transparently. Also as expected it adds Bearer to the Authorization header and it does not work with AppSync. If AppSync can handle the Bearer string in the Authorization header value, then it would make the integration with existing auth tools seamless using OpenId auth mode.

[asyschikov]

Took me 2 hours to understand why a standard "Authorization: Bearer ..." header doesn't work. Not a single line about it in the docs.

The OIDC standard explicitly mentions the Bearer keywork: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1

When sending the access token in the "Authorization" request header field defined by HTTP/1.1 [RFC2617], the client uses the "Bearer" authentication scheme to transmit the access token.

For example:

>      GET /resource HTTP/1.1
>      Host: server.example.com
>      Authorization: Bearer mF_9.B5f-4.1JqM

[vinodabh]

I spent a few hours trying to figure out why my bearer token is not working, until I came across this issue page. Can we get a fix for this soon, or update the documentation to reflect this?

[sebastiansanio]

We need this also, we are facing the same issue with the Event Bridge -> AppSync integration and we lost several hours struggling until we arrived here.

[nacho8]

+1

[dragonfly8391]

Any news when this issue will be fix ?

[yashpatel6892]

We have made appropriate changes to support Bearer authorization header for OPENID_CONNECT and AMAZON_COGNITO_USER_POOLS authorization.