Search code examples
amazon-web-servicesapijwttwitch

AWS Api Gateway JWT Authorization - Getting 'Signing method HS256 is invalid' Error

I have set up an API gateway with a JWT authorizer (the one that is already built in), but I cannot get it to accept tokens generated by Twitch. This is my JWS auth settings in AWS: https://i.sstatic.net/WR6Vi.png

I'm a bit confused about what 'audience' means, but I figured that has to be my Twitch extension secret since that's what the token is signed with in the first place. I tried verifying it on https://jwt.io/ against the secret and it says the token is valid after ticking the secret base64 encoded box. Problem is that every time I try to pass it in the header to the API, I get error="invalid_token" error_description="signing method HS256 is invalid".

This is the payload AWS receives:

  version: '2.0',
  routeKey: '$default',
  rawPath: '/',
  rawQueryString: '',
  headers: {
    accept: '*/*',
    'accept-encoding': 'deflate, gzip',
    'authorization': 'Bearer <MYTOKEN>',
    'content-length': '0',
    host: '<SOMETHING>.us-west-2.amazonaws.com',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36',
    'x-amzn-trace-id': '<SOME ID>',
    'x-forwarded-for': '<SOME IP>',
    'x-forwarded-port': '443',
    'x-forwarded-proto': 'https',
    'x-real-ip': '<SOME IP>'
  },
  requestContext: {
    accountId: '<ID>',
    apiId: '<APP ID>',
    domainName: '<SOMETHING>.us-west-2.amazonaws.com',
    domainPrefix: '<SOMETHING>',
    http: {
      method: 'GET',
      path: '/',
      protocol: 'HTTP/1.1',
      sourceIp: '<SOME IP>',
      userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36'
    },
    requestId: '<SOME ID>',
    routeKey: '$default',
    stage: '$default',
    time: '26/Feb/2021:17:48:04 +0000',
    timeEpoch: 1614361684261
  },
  isBase64Encoded: false
}

As you can see, it receives the header and token just fine. One thing I noticed is that when I decode the token, there is no issuer. How does AWS know that Twitch is the issuer?

  "alg": "HS256",
  "typ": "JWT"
  }
  {
  "exp": 1614341073,
  "opaque_user_id": "U<SOME ID>",
  "user_id": "<SOME ID>",
  "channel_id": "<SOME ID>",
  "role": "broadcaster",
  "is_unlinked": false,
  "pubsub_perms": {
    "listen": [
      "broadcast",
      "whisper-<SOME ID>",
      "global"
    ],
    "send": [
      "broadcast",
      "whisper-*"
    ]
  }
}```
Solution

  • As per the exeception error="invalid_token" error_description="signing method HS256 is invalid", it is clear that either AWS services does not support this algorithm HS256or you've to change the configuration to inform the AWS services about the type of algorithm it should use in order to validate the token.

    Two way to proceed on this:

    1. Let AWS services informed about the algorithm being used while token creation so that AWS auth services use the same in order to verify/validate the token.

    2. Change the algorithm on the token issuer service side if the service allows to do so.

    Usually token issuer use one of the following algorithm while creation of JWT token

    HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 EdDSA

    Audience Claim in Token

    aud (audience): Recipient for which the JWT is intended.

    How does AWS know that Twitch is the issuer?

    You've already mentioned about JWS auth settings in AWS.