Missing Authorization Header

[m-siscogit]

I'm attempting to POST a graphql query to an aws appsync application. I'm using the HttpClient extensions (PostAsync) to sign the request before sending it (this is an excellent implementation, by the way - nearly transparent to the user).

My request is returning an empty list of objects, even though I know there are objects on the server. While investigating this, I noticed that in my response object, response.RequestMessage.Headers.Authorization is null. If I look in response.RequestMessage.Headers.headerStore, I have an entry:

Key: "Authorization"
Value: {System.Net.Http.Headers.HttpHeaders.HeaderStoreItemInfo}
-> ParsedValue: null
-> invalidValue: {the actual signature}

So it appears that there's something about this signature that the system doesn't like. I don't whether the actual message had a valid Authorization header.

Does anyone have any insight to share?

[FantasticFiasco]

Hi @m-siscogit!

I have no experience in sending requests to AWS AppSync, but according to the documentation it should feature Signature version 4 authentication. Do you get any meaningful error messages in CloudWatch?

[m-siscogit]

I am trying to implement a client for an appsync application written by a third party. As such, I don't have access to the CloudWatch console for this application. The third party is going to send me some log files today, but I'm doubtful they will have the level of detail that I need to debug this issue.

But I would like to point out that the issue I'm reporting can't be appsync-specific, because I'm seeing the null Authorization header in the outgoing message. I've dug into your code a bit and I see that you are using TryAddWithoutValidation for the Authorization header. I'm wondering if that has something to do with the Headers.Authorization field being set to null? I've tried other signing tachniques, and they all throw an exception if I try something like:

Headers.Add("Authorization", $"{signature}");

Presumably that means they don't like the format of the signature I'm providing, but there's no indication why they don't like it.

I'm at a loss here. I can't figure out why the Authorization header is being rejected.

I've even tried building a debug version of your dll to allow me to step into the code, but my project won't build when referencing the dll I built. It's complaining that there's no overload for PostAsync that takes 5 parameters even though -clicking the function in my code takes me directly to the proper call in your code. It seems the code gods are conspiring against me. ;-)

[m-siscogit]

I found my problem. I was creating a set of anonymous credentials to access the user pool and then create my local user. The credentials I was passing to your code were these anonymous credentials and not the user credentials. Duh! Once I started passing the user credentials, everything worked.

I've tried a few different signing tools during this process, and yours is by far the easiest to use and most straightforward. Thanks for publishing this excellent piece of work.

[FantasticFiasco]

Thanks, and I'm happy that you found the problem!