Forum Discussion

Former Member's avatar
Former Member
5 years ago

SCIM Bridge AWS ECS - AuthWrap failed to validateAuthHeader

Hi all, We are trying to set up SCIM bridge using ECS Fargate through Terraform using a modified version of https://github.com/1Password/scim-examples/tree/master/aws-ecsfargate-terraform All c...
scim
Former Member's avatar
Former Member
5 years ago

Hi @vhs_n10,

While I don't have an immediate solution for you, I can point out a few things that do not look quite right.

Frist, the leading value for authorization value is case sensitive: it must be Bearer not bearer. That is probably the reason for the 401 from your fourth troubleshooting attempt. For more, please see the OAuth Bearer Token RFC, RFC 6750. https://datatracker.ietf.org/doc/html/rfc6750#section-2.1

Second, to give you a bit more context, we have a couple of different Auth Errors that will be presented. The four primary ones are:
- failed to loadCredentialsFile
- no auth header; unauthorized
- no bearer token present; unauthorized
- Authentication failed, invalid bearer token

Respectively these mean that:
- No scimsession was given to the SCIM bridge, and so it cannot be loaded to authenticate against
- No Authorization header was included in the request. EG: curl -X GET -H "" $DOMAIN/Users
- No bearer token value was included in the request. EG: curl -X GET -H "Authorization: Bearer" $DOMAIN/Users
- An invalid bearer token was used to attempt authorization. This is a well formed request with an invalid value. EG: curl -X GET -H "Authorization: Bearer $BADVALUE" $DOMAIN/Users

I bring these differences up to hopefully help guide you in your troubleshooting. They all return a 401.

In your case, I would do the following:
- Try the curl request again with Bearer as the Authorization key. Does that authenticate successfully? If not, what is the error?
- If the curl does succeed, examine why headers may be getting stripped somewhere in the process. I would examine your ALB in this case.
- If the curl does not succeed, it is most likely that your scimsession and bearer token do not match. Regenerate the two and toss out all old values.

If you are having further troubles after trying that, feel free to respond here or reach out to our support team via email. In the latter case we can give you more personalized help than what is available over a forum.

Graham