SCIM Bridge AWS ECS - AuthWrap failed to validateAuthHeader
Hi all,
We are trying to set up SCIM bridge using ECS Fargate through Terraform using a modified version of this repository
All configuration seems valid, but whenever a container is launched, it fails after a few minutes with ERR AuthWrap failed to validateAuthHeader error="no auth header; unauthorized" application=op-scim build=201022 component=SCIMServer
While the container is up, the 1Password SCIM Bridge Login Box is shown on the URL, indicating as per the README instructions that there is something wrong with the scimsession file in Secret Manager.
We have tried:
- Base64-encoding the file manually and storing it in Secret Manager
- Base64-encoding it through the provided Terraform-code and storing in Secret Manager
- Recreating the scimsession file
- Running
curl -X GET -H "Authorization: bearer $BEARER_TOKEN" $DOMAIN/Users
(results in 401 unauthorized) - Logging in with bearer token (also results in 401)
Worth noting:
- The scimsession is stored in Secret Manager in plaintext
We are using a custom ALB, certificate and records for TCP, not letsencrypt. The certificate looks fine in the url
This is the logs of a container lifecycle before it fails:
Here is the secret configuration in the container definition:
And here is the secret:
Any clue what might be going wrong here? All help or ideas welcome. Thanks in advance
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi @vhs_n10,
While I don't have an immediate solution for you, I can point out a few things that do not look quite right.
Frist, the leading value for authorization value is case sensitive: it must be
Bearer
notbearer
. That is probably the reason for the 401 from your fourth troubleshooting attempt. For more, please see the OAuth Bearer Token RFC, RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1Second, to give you a bit more context, we have a couple of different Auth Errors that will be presented. The four primary ones are:
-failed to loadCredentialsFile
-no auth header; unauthorized
-no bearer token present; unauthorized
-Authentication failed, invalid bearer token
Respectively these mean that:
- No scimsession was given to the SCIM bridge, and so it cannot be loaded to authenticate against
- NoAuthorization
header was included in the request. EG:curl -X GET -H "" $DOMAIN/Users
- No bearer token value was included in the request. EG:curl -X GET -H "Authorization: Bearer" $DOMAIN/Users
- An invalid bearer token was used to attempt authorization. This is a well formed request with an invalid value. EG:curl -X GET -H "Authorization: Bearer $BADVALUE" $DOMAIN/Users
I bring these differences up to hopefully help guide you in your troubleshooting. They all return a 401.
In your case, I would do the following:
- Try thecurl
request again withBearer
as the Authorization key. Does that authenticate successfully? If not, what is the error?
- If the curl does succeed, examine why headers may be getting stripped somewhere in the process. I would examine your ALB in this case.
- If the curl does not succeed, it is most likely that your scimsession and bearer token do not match. Regenerate the two and toss out all old values.If you are having further troubles after trying that, feel free to respond here or reach out to our support team via email. In the latter case we can give you more personalized help than what is available over a forum.
Graham
0