Kong Api Gateway - HMAC Signature does not Match - hmac

I am trying to implement HMAC Authentication with Kong,
I am getting error “HMAC Signature does not match” .
I am making HTTP request using Postman Rest Client.
Can some one verify my request parameter below.
Credential of Consumer:
Username: "test"
Secret: "test123#"
Http Request Detail:
Date:Thu, 05 Sep 2019 09:56:28 GMT
host:172.17.0.3
Authorization: hmac username="test",algorithm="hmac-sha1",headers="date",signature="YTg5NmQwMjhmMzVmYWNhZmQyZTQwNmY5ZTVkMmUzNDM4NDAxNmY3MA=="
Http Response:
Http Code:401
Response Body:
{
message:"HMAC Signature does not match"
}

I did generation for signing string "Date: Thu, 05 Sep 2019 09:56:28 GMT". Yes you need space after date.
The signature should be MduuZsP0dKRPKGoMSTft/fT+Qmc= for hmac-sha1 secret is "test123#"
I made this document for anyone who might need it (relating to kong hmac).

Related

Communication between 2 API services on the same cluster not working

I'm running a Kubernetes cluster with 2 API services inside Upon makin a API call to to my web-API located in the cluster I want the call to be forwarded to my backend-API.
This is not happening!
Now I looked into the the Ingress config of the backend-API and found its "Out side address" so to say and tried using that when forwarding API calls from the web-API upon which I received this message (This was a https address.
THE API CALL RESPONSE WAS: StatusCode: 404, ReasonPhrase: 'Not Found', Version: 1.0, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Server: squid/3.1.23
Mime-Version: 1.0
Date: Fri, 22 Oct 2021 23:00:54 GMT
X-Squid-Error: ERR_DNS_FAIL 0
Content-Type: text/html
Content-Length: 3525
}
Then I did some reading and got convinced I should send the internal API call to the backend using its internal IP. So executed in to the container running the backend service and viewed the resolv.config file and here I found 2 things one was a name: which was followed by a IP address and the other was Search: which was followed by 3 very long names.
So I used the IP address that came after name and upon sending a API call to it I got the following response:
http://10.233.0.3/uploadBlob
THE API CALL RESPONSE WAS: StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.0, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Server: squid/3.1.23
Mime-Version: 1.0
Date: Sun, 24 Oct 2021 15:59:51 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from **************
X-Cache-Lookup: NONE from **************:8080
Via: 1.0 ************* (squid/3.1.23)
Connection: keep-alive
Content-Type: text/html
Content-Length: 3458
}
http://10.233.0.3/uploadBlob
OBS - I had to remove the addresses for security reasons as I am not the owner of it.
Now I'm all out of ideas as to how I can make this internal call between these two services and i would appreciate any help I could get.

How to Validate an Access Token for OAuth2 + PCKE flow

According to this document
https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce
Token Endpoint for PCKE flow is None (not Basic or POST)
So, how can I use the validation token API https://developers.onelogin.com/openid-connect/api/validate-session because it supports Basic authentication or POST but not for None (PCKE) I can't find any information relate to this.
NOTE: I have tried to request with Basic authentication and without + client_id, client_secret as a parameter but not working.
response 401 Unauthorized
{
"error": "invalid_client",
"error_description": "client authentication failed"
}
I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow:
$ curl -i -d "token=...&token_type_hint=access_token&client_id=..." https://openid-connect.onelogin.com/oidc/token/introspection
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Length: 304
Content-Type: application/json; charset=utf-8
Date: Thu, 25 Apr 2019 23:37:42 GMT
Pragma: no-cache
X-Powered-By: Express
Set-Cookie: ol_oidc_canary_040819=false; path=/; domain=.onelogin.com
{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss":"https://openid-connect.onelogin.com/oidc","jti":"...","scope":"openid profile email"}
Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired.
Make sure you are not setting the Authorization header, and only set your client_id in the payload.
Use client_id and code_verify in the POST body. That will authenticate the request on that endpoint.

SignatureDoesNotMatch error when sending optional parameters to AWS S3

I’m trying to use getBucketObjectVersions operation with signature v4 to get the bucket object versions. If I don’t add any request parameters as mentioned in the sample request below, I am able to get the response successfully.
GET /signv4testq23a1/?versions
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=fe3d26c4sdasdasd7fa15324XXXXX563dsf148df58d131b4cede6
x-amz-content-sha256: UNSIGNED-PAYLOAD
x-amz-date: Wed, 20 Dec 2017 07:22:14 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com
If I add any request parameters as mentioned in the sample request below I’m getting the SignatureDoesNotMatch error. Please note that the canonical request which is generated when calculating the signature is same as the canonical request expected by the backend service. But getting different hashed canonical request value expected in StringToSign value from backend service.
What could be the reason?
Sample request with request parameter:
GET /signv4testq23a1/?versions&delimiter=/
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=192ce5f5e6b661bd5aXXXXXXXXXXXEAe5f50fbe8efda5a3e967d4f27972e
x-amz-date: Wed, 20 Dec 2017 08:53:17 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.com
Cannonical request:
GET
/signv4testq23a1/
delimiter=%2F&versions=
content-type:application/xml
host:s3.us-east-2.amazonaws.com
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:Wed, 20 Dec 2017 08:53:17 GMT
content-type;host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD
enter link description here
This is a problem:
delimiter=%2F&versions=
The keys and values should be url-escaped (encoded), but the & between parameters should not be escaped as &... it should just be &. You need to encode each key and value on its own, rather than the entire string once sorted and assembled.
CanonicalQueryString
specifies the URI-encoded query string parameters. You URI-encode name and values individually.
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html

Unable to get Access Token Via Fiddler IdentityServer3

I can successfully call my Api via a web browser. Using IdentityModel works fine.
But when I try to call the Api via Fiddler I get invalid_client. My client information comes from a database based on the MembershipReboot Client tables.
I tried passing data via the Post Body and via Authentication basic. Both fail.
When calling using Authentication Basic encoded parameters I have the following>
User-Agent: Fiddler
Host: qaquasaridentity
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdC5hcGk6c2VjcmV0
The actual encoded value in Fiddler shows:
No Proxy-Authorization Header is present.
Authorization Header is present: Basic dGVzdC5hcGk6c2VjcmV0
Decoded Username:Password= test.api:secret
When I call using the Post Body for parameters the data passed is:
client_id=test.api
&client_secret=secret
&grant_type=client_credentials
&scope=testapi
The Server log says
2017-01-20 12:06:13.968 -06:00 [Debug] Start client validation
2017-01-20 12:06:13.971 -06:00 [Debug] Start parsing Basic Authentication secret
2017-01-20 12:06:13.973 -06:00 [Debug] Start parsing for secret in post body
2017-01-20 12:06:13.973 -06:00 [Debug] No secret in post body found
2017-01-20 12:06:13.976 -06:00 [Debug] Start parsing for X.509 certificate
2017-01-20 12:06:13.976 -06:00 [Debug] client_id is not found in post body
w3wp.exe Information: 0 : 2017-01-20 12:06:13.976 -06:00 [Information] Parser found no secret
w3wp.exe Information: 0 : 2017-01-20 12:06:13.981 -06:00 [Information] No client secret found
w3wp.exe Information: 0 : 2017-01-20 12:06:13.983 -06:00 [Information] End token request
w3wp.exe Information: 0 : 2017-01-20 12:06:13.988 -06:00 [Information] Returning error: invalid_client
I have the client_id and client_secret but the error log says otherwise.
Can anyone explain what I am doing wrong? I can get my access_token via .NET on the backend but not via Fiddler.
The token endpoint does not take JSON, but form-data.
POST /connect/token
grant_type=client_credentials&client_id=test.api&client_secret=secret&scope=api
http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
https://identityserver.github.io/Documentation/docsv2/endpoints/token.html

Google Cloud MissingSecurityHeader error

While there is a thread about this problem on Google's FAQ, it seems like there are only two answers that have satisfied other users. I'm certain there is no proxy on my network and I'm pretty sure I've configured boto as I see credentials in the request.
Here's the capture from gsutil:
/// Output sanitized
Creating gs://64/...
DEBUG:boto:path=/64/
DEBUG:boto:auth_path=/64/
DEBUG:boto:Method: PUT
DEBUG:boto:Path: /64/
DEBUG:boto:Data: <CreateBucketConfiguration><LocationConstraint>US</LocationConstraint></\
CreateBucketConfiguration>
DEBUG:boto:Headers: {'x-goog-api-version': '2'}
DEBUG:boto:Host: storage.googleapis.com
DEBUG:boto:Params: {}
DEBUG:boto:establishing HTTPS connection: host=storage.googleapis.com, kwargs={'timeout':\
70}
DEBUG:boto:Token: None
DEBUG:oauth2_client:GetAccessToken: checking cache for key dc3
DEBUG:oauth2_client:FileSystemTokenCache.GetToken: key=dc3 present (cache_file=/tmp/o\
auth2_client-tokencache.1000.dc3)
DEBUG:oauth2_client:GetAccessToken: token from cache: AccessToken(token=ya29, expiry=2\
013-07-19 21:05:51.136103Z)
DEBUG:boto:wrapping ssl socket; CA certificate file=.../gsutil/third_party/boto/boto/cace\
rts/cacerts.txt
DEBUG:boto:validating server certificate: hostname=storage.googleapis.com, certificate ho\
sts=['*.googleusercontent.com', '*.blogspot.com', '*.bp.blogspot.com', '*.commondatastora\
ge.googleapis.com', '*.doubleclickusercontent.com', '*.ggpht.com', '*.googledrive.com', '\
*.googlesyndication.com', '*.storage.googleapis.com', 'blogspot.com', 'bp.blogspot.com', \
'commondatastorage.googleapis.com', 'doubleclickusercontent.com', 'ggpht.com', 'googledri\
ve.com', 'googleusercontent.com', 'static.panoramio.com.storage.googleapis.com', 'storage\
.googleapis.com']
GSResponseError: status=400, code=MissingSecurityHeader, reason=Bad Request, detail=A non\
empty x-goog-project-id header is required for this request.
send: 'PUT /64/ HTTP/1.1\r\nHost: storage.googleapis.com\r\nAccept-Encoding: iden\
tity\r\nContent-Length: 98\r\nx-goog-api-version: 2\r\nAuthorization: Bearer ya29\r\nU\
ser-Agent: Boto/2.9.7 (linux2)\r\n\r\n<CreateBucketConfiguration><LocationConstraint>US</\
LocationConstraint></CreateBucketConfiguration>'
reply: 'HTTP/1.1 400 Bad Request\r\n'
header: Content-Type: application/xml; charset=UTF-8^M
header: Content-Length: 232^M
header: Date: Fri, 19 Jul 2013 20:44:24 GMT^M
header: Server: HTTP Upload Server Built on Jul 12 2013 17:12:36 (1373674356)^M
It looks like you might not have a default_project_id specified in your .boto file.
It should look something like this:
[GSUtil]
default_project_id = 1234567890
Alternatively, you can pass the -p option to the gsutil mb command to manually specify a project. From the gsutil mb documentation:
-p proj_id Specifies the project ID under which to create the bucket.