none
Error 401 Unhauthorized invoking Azure App Configuration from Postman RRS feed

  • Question

  • Hi,

    I'm getting the below error with 401 Status code

    "HMAC-SHA256 error="invalid_token", error_description="Invalid Signature""

    invoking Azure App Configuration resource from Postman using the generated headers with the Javascript code provided by this guide

    However sending the same headers it works fine from a Java application using this library

    What could be the problem?

    Thx advanced.


    Thursday, August 1, 2019 1:20 PM

All replies

  • Does the signature you're using in Postman match what's returned by buildSignature(...) in Java application?

    Thanks in advance, Ryan

    Thursday, August 1, 2019 4:30 PM
  • Thanks for reply Ryan

    Yes both Javascript and Java code produce the same Authorization header

    Postman request goes in error providing the Java generated Authentication and Date headers too

    Below the sending request headers:

    GET /kv?label=%00&key==###############/%2A
    Authorization: HMAC-SHA256 Credential=###############, SignedHeaders=x-ms-date;host;x-ms-content-sha256, Signature=###############
    x-ms-content-sha256: ###############
    x-ms-date: Fri, 02 Aug 2019 12:35:25 GMT
    Accept: application/vnd.microsoft.appconfig.kv+json;
    x-ms-return-client-request-id: true
    User-Agent: PostmanRuntime/7.15.2
    Cache-Control: no-cache
    Host: ###############
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    HTTP/1.1 401
    status: 401
    Server: nginx/1.13.12
    Date: Fri, 02 Aug 2019 12:35:24 GMT
    Content-Length: 0
    Connection: keep-alive
    WWW-Authenticate: HMAC-SHA256 error="invalid_token", error_description="Invalid Signature"
    x-ms-request-id: =###############,
    x-ms-correlation-request-id: ################
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
    Access-Control-Allow-Headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization, x-ms-client-request-id, x-ms-content-sha256, x-ms-date, host, Accept, Accept-Datetime, Date, If-Match, If-None-Match, Sync-Token, x-ms-return-client-request-id, ETag, Last-Modified, Link, Memento-Datetime, x-ms-retry-after, x-ms-request-id, WWW-Authenticate
    Access-Control-Expose-Headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization, x-ms-client-request-id, x-ms-content-sha256, x-ms-date, host, Accept, Accept-Datetime, Date, If-Match, If-None-Match, Sync-Token, x-ms-return-client-request-id, ETag, Last-Modified, Link, Memento-Datetime, x-ms-retry-after, x-ms-request-id, WWW-Authenticate
    Strict-Transport-Security: max-age=15724800; includeSubDomains
    Thnaks in advance
    • Edited by user872 Friday, August 2, 2019 12:42 PM
    Friday, August 2, 2019 12:41 PM
  • And just to make sure, you're already been down https://sqa.stackexchange.com/a/25384 route?

    Thanks in advance, Ryan

    Friday, August 2, 2019 5:11 PM
  • Thanks Ryan for support

    I've just read and test same headers with SOAP ui but I still get Unhautorized

    Generated Authorization header is the same working for java :(

    Saturday, August 3, 2019 10:31 AM
  • It's been brought to my attention that this feature is in preview. Therefore, we would like to work closely with you in this matter. Can you email us at AzCommunity[at]microsoft[dot]com. Please reference this thread and enclose your subscription id.


    Thanks in advance, Ryan

    Monday, August 5, 2019 5:36 PM
  • Hi user872,

    I did hear from the product group on the Azure App Configuration. The problem might be that the request sent by Postman has uri-encoded ‘*’ as %2A

    /kv?label=%00&key=###############/%2A

    The working scenario from Java may not encode this

    /kv?label=%00&key=###############/*

    As expected the Authorization header can’t be reused. The signature should be different because the request URI in both scenarios is different.


    Thanks in advance, Ryan

    Wednesday, August 14, 2019 5:24 PM
  • Thanks a lot Ryan,

    I'm agree with you, actually I'm not reusing it but I'm using the javascript code from the Azure App Configuration page but unfortunally is not working

    How can I try to send such call over Postman or any Rest Client?

    • Edited by user872 Tuesday, September 10, 2019 4:54 PM
    Tuesday, September 10, 2019 4:54 PM