ciao! we stumbled upon an issue using Auth plugin ...
# ktor
ciao! we stumbled upon an issue using Auth plugin and AWS API Gateway. Trying to summarize, when a request with an invalid token is performed towards a auth-protected Gateway endpoint, a 401 response is provided, along with the following www-authenticate header:
www-authenticate: Bearer scope="" error="invalid_token" error_description="token contains an invalid number of segments"
but according to the Auth parser, this header is malformed (see stacktrace below). In the end, this causes refresh tokens never to be requested. Can you confirm whether this issue is on the parser or on AWS? Thank you in advance Ktor and Auth plugin ver: 2.2.1
Copy code
io.ktor.http.parsing.ParseException: Expected delimiter , at position 16, but found e
	at io.ktor.http.auth.HttpAuthHeaderKt.skipDelimiter(HttpAuthHeader.kt:441)
	at io.ktor.http.auth.HttpAuthHeaderKt.matchParameters(HttpAuthHeader.kt:141)
	at io.ktor.http.auth.HttpAuthHeaderKt.parseAuthorizationHeader(HttpAuthHeader.kt:106)
	at io.ktor.http.auth.HttpAuthHeaderKt.parseAuthorizationHeaders(HttpAuthHeader.kt:69)
	at io.ktor.client.plugins.auth.Auth$Plugin$install$2.invokeSuspend(Auth.kt:58)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
	at kotlinx.coroutines.internal.DispatchedContinuation.resumeWith(DispatchedContinuation.kt:205)
	at io.ktor.util.pipeline.SuspendFunctionGun.resumeRootWith(SuspendFunctionGun.kt:135)
	at io.ktor.util.pipeline.SuspendFunctionGun.loop(SuspendFunctionGun.kt:109)
	at io.ktor.util.pipeline.SuspendFunctionGun.access$loop(SuspendFunctionGun.kt:11)
	at io.ktor.util.pipeline.SuspendFunctionGun$continuation$1.resumeWith(SuspendFunctionGun.kt:59)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:46)
	at android.os.Handler.handleCallback(
	at android.os.Handler.dispatchMessage(
	at android.os.Looper.loopOnce(
	at android.os.Looper.loop(
	at java.lang.reflect.Method.invoke(Native Method)
According to the specification, parameters should be delimited by comma so this is an AWS problem.
if i understood the specs correctly, comma should separate the different challenge methods available. in this case, only Bearer is a valid challenge method. aws would be right in their response. am i getting this wrong?
just reviewed it, different challenges should go to different header declarations. nonetheless, i wouldn’t know how to have this sorted out. what’s returning the wrong header is AWS API Gateway, with configuration only (absolutely no code from us). would that mean we are obliged to drop the Auth plugin?
I cannot find the syntax description of the
header for the
scheme but the last example in the section from the specification contains attributes separated by comma.
different challenges should go to different header declarations
As I see, you have only one challenge
thank you for your time! so, if i got this correctly, the options we have to overcome this are: • ask AWS to fix the header • give up using Auth plugin to manage refresh tokens • fork Auth plugin just for the sake of changing the parser
👌 1