my "token-signature" in aws iot test-invoke-authorizer always mismatch

0

I had try to use AWS IoT Core Authorizer with AWS Lamda Function follow this guide. https://docs.aws.amazon.com/iot/latest/developerguide/config-custom-auth.html and this https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth-tutorial.html

I can create Lamda Function and Authorizer like that guide. But I had always got this Error : "An error occurred (InvalidRequestException) when calling the TestInvokeAuthorizer operation: Token signature mismatch for authorizer my-new-authorizer1" when I try to test it by test-invoke-authorizer. I guess I maybe do some mistake on key-generate or signature-generate by OpenSSL. So I try to validate them for check the compatible of them and It's compatible.

And now, I have no idea what I do mistake. Does anyone suggest me what should I do

Thank You for your time.

6 Answers
0
Accepted Answer

OK, it was solved. after meeting with AWS technical support and he show me how to create the key. That's about OpenSSL key generator which the OpenSSL are not regular support Windows OS. So it's very complicate to generate the key from windows. And the other thing is version of OpenSSL which document recommend to 1.1.1i.

I had try to use OpenSSL 1.1.1i from Ubuntu OS with same procedure in that document and it's work fine without error. So let's change your OS to solve it.

Thank You everyone

answered a year ago
profile picture
EXPERT
A_J
reviewed 15 days ago
0

Thanks for reaching out. Can you please confirm if on the tutorial you have done steps 1-3 successfully? i.e lambda add permission with no errors?

  • Yes, it's. I can do it without any error.

For step 4, have you ensured that this is generated with the "tokenKeyValue" and same is used for testing the authorizer ?

  • Yes, I had generate it by OpenSSL V1.1.1 but I had also try with OpenSSL V3 too and it was the same error.

"Copy this signature string to use in the next step. Be careful not to include any extra characters or leave any out."

  • I had check it by debug mode of "TestInvokeAuthorizer" and I didn't see any extra charactor in it.

Another thing that I feel some strange. it's a private-key generator in https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth-tutorial.html "openssl genrsa -out private-key.pem 4096" I saw some document is use 2048 length but I think it should not matter to check matching of both key. and even 2048 length, it had mismatch too.

Thank You for your time.

answered 2 years ago
  • Thanks for your response. I re-ran the tutorial end to end and it works well without issues . Openssl version does not matter.

    4096 is the size of the private key to generate in bits. This must be the last option specified. The default is 2048

    I think if you can confirm that below steps

    echo -n "tokenKeyValue" | openssl dgst -sha256 -sign private-key.pem | openssl base64 -A

    and then

    aws iot test-invoke-authorizer
    --authorizer-name my-new-authorizer
    --token tokenKeyValue \ --> this should be same as when you used echo -n "tokenKeyValue" above --token-signature <<signature above not to include any extra characters or leave any out.>>

    Any changes in the --token or --token-signature may not let it validate.

    Another idea is that follow Step 5: Test publishing MQTT message using Postman

0

Hello,

Have you been able to solve this issue?

I am also following this tutorial from top to bottom https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth-tutorial.html but I am getting the following error every time (Postman is also not working):

An error occurred (InvalidRequestException) when calling the TestInvokeAuthorizer operation: Token signature mismatch for authorizer my-new-authorizer

Also in step 3, the Lambda permission statement shown in the tutorial is:

{
    "Statement": "{\"Sid\":\"Id-1234\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"iot.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:Region:57EXAMPLE833:function:custom-auth-function\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:lambda:Region:57EXAMPLE833:function:custom-auth-function\"}}}"
}

But the previous step to create the permission through the CLI indicates:

aws lambda add-permission  \
--function-name "custom-auth-function" \
--principal "iot.amazonaws.com" \
--action "lambda:InvokeFunction" \
--statement-id "Id-1234" \
--source-arn authorizerArn

To use the authorizerArn as the "source-ARN" but the statement is using the lambda function ARN, which one is correct? I test both but still getting the "Token signature mismatch..." error.

Any assistance would be greatly appreciated.

Regards. Gianpiero

answered 2 years ago
  • I have some meeting with technical of aws tomorrow. so if you have some question about this please list it to me. if it's possible I maybe ask them too. Thank You.

0

Thanks for reaching out. Can you please confirm if on the tutorial you have done steps 1-3 successfully? i.e lambda add permission with no errors?

For step 4, have you ensured that this is generated with the "tokenKeyValue" and same is used for testing the authorizer ?

echo -n "tokenKeyValue" | openssl dgst -sha256 -sign private-key.pem | openssl base64 -A

Also in step 4, can you confirm that this check is done ? "Copy this signature string to use in the next step. Be careful not to include any extra characters or leave any out."

profile pictureAWS
EXPERT
answered 2 years ago
0

"Another idea is that follow Step 5: Test publishing MQTT message using Postman" after your suggestion. I had try to do follow in step 5. and I saw first wrong thing that it's my policy was deny this request. I 'm unsure that it had relation with mismatch between public key and signature, isn't it. and if I can resolve that policy (which I had do it before), I will update later.

Thank You for your advice.

answered 2 years ago
0

Have you been able to solve this issue? No, I'm still being stuck at the same situation.

and To use the authorizerArn as the "source-ARN" but the statement is using the lambda function ARN, which one is correct?

I had use arn from authorizerArn in response of create authorizer

Enter image description here

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions