AWS SignatureV4 - 请求签名有时不匹配?

问题描述 投票:0回答:1

我们正在使用 AWS SignatureV4 通过 IAM 授权者向 API 网关发出请求,并发现签名仅在某些时候有效...

我们正在使用 AWS 开发工具包签署请求。

$credentials = new Credentials(env('AWS_ACCESS_KEY_ID', ''), env('AWS_SECRET_ACCESS_KEY', ''));
$signer = new SignatureV4('execute-api', env('AWS_DEFAULT_REGION', ''));
$request = $signer->signRequest($request, $credentials);

以下是正在提出的两个示例请求。 (我已经编辑了敏感信息。这些字段在请求之间是相同的)

https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=34129&userId[]=2405&userType=student&oktaId=[redacted]
https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=2405&userId[]=196624&userType=student&oktaId=[redacted]

最上面的请求已正确签名并已处理。第二个请求失败并显示以下消息:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. 
Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/dev-ew1/api/v1/users
oktaId=[redacted]&userId%5B%5D=196624&userId%5B%5D=2405&userType=student
host:[redacted].execute-api.eu-west-1.amazonaws.com
x-amz-date:20231218T101701Z
x-platform:messaging
x-platform-organisation:55

host;x-amz-date;x-platform;x-platform-organisation
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20231218T101701Z
20231218/eu-west-1/execute-api/aws4_request
3400b7c56695b319d050d264522b645bf19346449c2147768fc0ca10b36001cf'

成功和失败的请求都有相同的标头。

{
    "Host": [
        "[redacted].execute-api.eu-west-1.amazonaws.com"
    ],
    "X-Platform": [
        "messaging"
    ],
    "X-Platform-Organisation": [
        "55"
    ],
}

两者都使用相同的 AWS 凭证。失败总是一样的。唯一改变的是 URL。例如

-- Query 2405 - Works
https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=2405&userType=student&oktaId=[redacted]

-- Query 196624 - Works
https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=196624&userType=student&oktaId=[redacted]

-- Query 2405 + 196624 at the same time - Signing Error
https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=2405&userId[]=196624&userType=student&oktaId=[redacted]

-- Query 2405 + 34129 at the same time and this works fine??
https://[redacted].execute-api.eu-west-1.amazonaws.com/dev-ew1/api/v1/users?userId[]=34129&userId[]=2405&userType=student&oktaId=[redacted]

我们使用 PHP8.1 和 aws sdk 3.294.1

关于如何进一步调试并解决这个问题有什么想法吗?

php laravel aws-sdk aws-php-sdk
1个回答
0
投票

我认为 

?userId[]=2405&userId[]=196624
是 W3C 规范的一部分。不过,这似乎是 PHP 的事情。正如 apokryfos 在评论中建议的那样。用不同的方式替换它来传递用户 ID 可以解决该问题。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.