Develop Reference

KRAKEND [JWTValidator] Unable to validate the token: should have a JSON content type for JWKS endpoint

I get the following error while evaluating krakend on MacOS with latest from brew...
[KRAKEND] 2022/09/20 - 11:51:32.488 ▶ ERROR [ENDPOINT: /geo/v1/countries][JWTValidator] Unable to validate the token: should have a JSON content type for JWKS endpoint
My JWKS from keycloak running on AWS does seem to set the Content-Type properly so I do not understand the issue...
{
"$schema": "https://www.krakend.io/schema/v3.json",
"version": 3,
"name": "KrakenD - API Gateway",
"extra_config": {
"security/cors": {
"allow_origins": [
"*"
],
"expose_headers": [
"Content-Length",
"Content-Type"
],
"max_age": "12h",
"allow_methods": [
"GET",
"HEAD"
]
},
"telemetry/logging": {
"level": "DEBUG",
"prefix": "[KRAKEND]",
"syslog": false,
"stdout": true
}
},
"timeout": "3000ms",
"cache_ttl": "300s",
"output_encoding": "json",
"endpoints": [
{
"endpoint": "/geo/v1/countries",
"method": "GET",
"backend": [
{
"url_pattern": "/geo/v1/countries",
"is_collection": true,
"sd": "static",
"method": "GET",
"host": [
"https://api.sophware.com"
],
"disable_host_sanitize": false
}
],
"extra_config": {
"qos/ratelimit/router": {
"max_rate": 0,
"client_max_rate": 10,
"strategy": "header",
"key": "Authorization"
},
"auth/validator": {
"alg": "RS256",
"jwk_url": "https://auth.sophware.com/realms/sophware/protocol/openid-connect/certs",
"issuer": "https://auth.sophware.com/realms/sophware",
"operation_debug": true,
"cache": true
}
}
},
{
"endpoint": "/geo/v1/features",
"method": "GET",
"backend": [
{
"url_pattern": "/geo/v1/features",
"is_collection": true,
"sd": "static",
"method": "GET",
"host": [
"https://api.sophware.com"
],
"disable_host_sanitize": false
}
],
"extra_config": {
"qos/ratelimit/router": {
"max_rate": 0,
"client_max_rate": 5,
"strategy": "ip"
}
}
}
]
}

The error might be misleading because the JWT validation does not have a specific message when there are connectivity errors, but if you are sure the content is well-formed JSON, then the problem is mostly reaching the JWK URL.

Bad Request "ErrorExecuteSearchStaleData" in Microsoft Graph API - Search for Mails

We are using Microsoft Graph Search API to search through our O365 emails. Since the search only allows 25 results per request for mails. (see https://learn.microsoft.com/en-us/graph/api/resources/search-api-overview?view=graph-rest-beta#page-search-results)
We figured to work around this by batching our search request like this:
POST https://graph.microsoft.com/beta/$batch
{
"requests": [
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-0",
"body":
{
"requests": [
{
"entityTypes": ["message"],
"query":
{
"query_string":
{
"query": "some search text"
}
},
"from": 0,
"size": 25
}
]
},
"headers":
{
"Content-Type": "application/json"
}
},
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-1",
"body":
{
"requests": [
{
"entityTypes": ["message"],
"query":
{
"query_string":
{
"query": "some search text"
}
},
"from": 25,
"size": 25
}
]
},
"headers":
{
"Content-Type": "application/json"
}
},
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-2",
"body":
{
"requests": [
{
"entityTypes": ["message"],
"query":
{
"query_string":
{
"query": "some search text"
}
},
"from": 50,
"size": 25
}
]
},
"headers":
{
"Content-Type": "application/json"
}
},
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-3",
"body":
{
"requests": [
{
"entityTypes": ["message"],
"query":
{
"query_string":
{
"query": "some search text"
}
},
"from": 75,
"size": 25
}
]
},
"headers":
{
"Content-Type": "application/json"
}
}
]
}
This works usually well, but in some cases the API returns something like this:
{
"id": "MyMails-2",
"status": 400,
"headers":
{
"Link": "<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,RemoveDeprecatedUnderscoreProperty&from=2021-12-01&to=2022-01-01>;rel=\"deprecation\";type=\"text/html\",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,RemoveDeprecatedUnderscoreProperty&from=2021-12-01&to=2022-01-01>;rel=\"deprecation\";type=\"text/html\",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,RemoveDeprecatedUnderscoreProperty&from=2021-12-01&to=2022-01-01>;rel=\"deprecation\";type=\"text/html\"",
"Deprecation": "Tue, 14 Dec 2021 23:59:59 GMT",
"Sunset": "Sat, 31 Dec 2022 23:59:59 GMT",
"Cache-Control": "no-cache",
"Content-Type": "application/json"
},
"body":
{
"error":
{
"code": "BadRequest",
"message": "\r\n An exception occurred\r\n Lss call failed with status code 400. \"Exchange service returned error ErrorExecuteSearchStaleData: Please reissue the query with rowOffset = 0. The specified rowoffset is '50', but the results are stale.\".",
"innerError":
{
"date": "2022-01-25T09:58:53",
"request-id": "75def95f-a857-427d-a8b4-ee2792329e87",
"client-request-id": "75def95f-a857-427d-a8b4-ee2792329e87"
}
}
}
}
I noticed the deprecation note in the header, however I can't find anything about it. Neither about the actual exception.
What am I missing?
[workaround]
Thanks for the hint #user2250152.
This heavily reduced the issue by splitting the request into two requests, while the second is able to request more than 25 mails at a time:
POST https://graph.microsoft.com/beta/$batch
{
"requests": [
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-0",
"body": {
"requests": [
{
"entityTypes": [
"message"
],
"query": {
"query_string": {
"query": "some search text"
}
},
"from": 0,
"size": 25
}
]
},
"headers": {
"Content-Type": "application/json"
}
},
{
"url": "/search/query",
"method": "POST",
"id": "MyMails-1",
"body": {
"requests": [
{
"entityTypes": [
"message"
],
"query": {
"query_string": {
"query": "some search text"
}
},
"from": 25,
"size": 200
}
]
},
"headers": {
"Content-Type": "application/json"
}
}
]
}

The error with stale results can happen time to time.
You can decrease the number of batch requests to reduce a chance that the error with stale results will occur.
For the first page "from": 0 the max size is 25. But for the next page "from": 25 you can increase the page size to 200.
I've tested the search query with "from": 25 and "size": 200 and it returns 200 results.
Resources:
Page search results

AWS API Gateway api key required not set to 'true' after deployment

I have a .NET solution that uses a SAM template to generate cloudformation to deploy the stack. I am expecting the deployment - once complete - to have API Key Required = true on at least one of the methods. However after deployment, the keys and usage plans are created, but in the console the api key required is still set to false?
See below:
My SAM template:
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"This is a placeholder for the description of this web api",
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source": "HEADER",
"paths": {
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
},
"security":[
{
"api_key":[]
}
]},
"securityDefinitions":{
"api_key":{
"type":"apiKey",
"name":"x-api-key",
"in":"header"
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"swagger": "2.0"
}
}
},
I am not that familiar with swagger definitions, I know only the basics of SAM and CloudFormation. What am I missing here? I have reviewed other answers on stack overflow and believe I've copied the configuration correctly.
When I check the generated CloudFormation, my entries regarding x-api-key are not even present in the template?
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"paths": {
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
}
},
"/datagw/general/webhook/ccnotify": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectNotification.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
},
"/datagw/general/post/sohupdate": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
}
},
"swagger": "2.0"
}
}
},
EDIT: This is what I have worked up to, but still API key required is not set to true in the API once the deployment has completed.
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"InSite Web API Version 2.0.0.0",
"Body": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes":["https"],
"paths": {
"tables/query/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {},
"security": [
{
"api_key": []
}
]
}
},
"/products/update/": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
}
},

So first off, if you are using the SAM framework, then why not try the serverless API (AWS::Serverless::Api) which has an Auth object where you can turn on ApiKeyRequired.
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessapi
"ServerlessRestApi": {
"Type": "AWS::Serverless::Api",
"Properties": {
"Description":"InSite Web API Version 2.0.0.0",
"Auth": {
"ApiKeyRequired": "true"
},
"DefinitionBody": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes":["https"],
"paths": {
"tables/query/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {},
"security": [
{
"api_key": []
}
]
}
},
"/products/update/": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
}
},
If for some reason you cannot use the serverless, you might be trying to overload the RestApi (which is fine, but you lose some of the other fine grain options). For full disclosure I do not work with API gateway in this way (I use the serverless transform) so this is all from reading the documentation and not from experiance.
I would try creating a bare bones AWS::ApiGateway::RestApi and then attach an AWS::ApiGateway::Method to the RestApi by reference it though RestApiId.
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html

I think you are missing the "securityDefinitions":
Body:
swagger: "2.0"
...
...
securityDefinitions:
sigv4:
type: "apiKey"
name: "x-api-key"
in: "header"
x-amazon-apigateway-authorizer:
type: token
You can find here some more examples:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-as-s3-proxy-export-swagger-with-extensions.html

JSON Batching not working with some Microsoft Teams API

We are trying the JSON batching of Microsoft Graph using this request:
{
"requests": [
{
"id": "1",
"method": "GET",
"url": "/me"
},
{
"id": "2",
"method": "GET",
"url": "/me/joinedTeams"
}
]
}
We are able to get a response from /me, but not for /me/joinedTeams:
{
"responses": [
{
"id": "1",
"status": 200,
"headers": {
"Cache-Control": "no-cache",
"OData-Version": "4.0",
"Content-Type": "application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8"
},
"body": {
// valid response here
}
},
{
"id": "2",
"status": 400,
"body": {
"error": {
"code": "BadRequest",
"message": "Unsupported segment type. ODataQuery: users/35036c48-1e5a-4ca4-89f0-2d11c4cf8937/joinedTeams",
"innerError": {
"request-id": "a075c4f6-362a-469f-945b-5b46d96784a0",
"date": "2018-09-12T10:09:40"
}
}
}
}
]
}
Does batching not support the Teams APIs?

Teams Graph APIs are still in Beta but you're using the /1.0 endpoint. It should work fine on the /beta endpoint.
POST https://graph.microsoft.com/beta/$batch
Accept: application/json
Content-Type: application/json
{
"requests": [
{
"id": "1",
"method": "GET",
"url": "/me"
},
{
"id": "2",
"method": "GET",
"url": "/me/joinedTeams"
}
]
}

Swagger - Set the "response" based on "consumes"

Is it possible to specify the "response" based on the "consumes" option on Swagger?
My API can return "json" or "text" and I'd like that the "example value", when the response's status is 200 changes if the user selects from Response Content Type the option application/json or text/plain.
This is a piece of my swagger.json file:
{
"swagger": "2.0",
"produces": [
"application/json",
"text/plain"
],
"consumes" : [
"application\/json"
],
"paths": {
"/writer/1/": {
"get": {
"summary": "Get all writers",
"description": "Writer description.",
"tags": [
"writer"
],
"responses": {
"200": {
"description" : "successful operation",
"schema" : {
"$ref" : "#\/definitions\/writerResponse"
}
},
}
}
}
"definitions": {
"writerResponse": {
"properties": {
"meta": {
"type" :"object",
"schema" : {
"$ref" : "#\/definitions\/metaDefinition"
}
},
"data": {
"type" :"array",
"items": {
"$ref" : "#\/definitions\/writer"
}
}
}
},
"writer": {
"properties": {
"id": {
"type": "integer",
"description": "writer id.",
"example": "1477"
},
"short": {
"type": "string",
"description": "short description.",
"example": "short example"
},
"modified": {
"type": "string",
"description": "modified description.",
"example": "2016-05-21 22:58:36"
}
}
},
}
This is an example of the JSON output when user selects application/json:
{
"meta": {
"total": "1234",
"last_page": "967",
"per_page": "4000",
"current_page": "1",
"next_page_url": "http://localhost/api/<ws>/1?page=2",
"prev_page_url": "http://localhost/api/<ws>/1?page=1",
"from": "1",
"to": "4000"
},
"data": [
{
"id": "1",
"short": "TEST1",
"modified": "2011-03-07 14:17:23"
},
{
"id": "5",
"short": "TEST2",
"modified": "2015-05-26 12:39:45"
}
]
}
And this is the output when the user selects text/plain:
id|short|modified
1|TEST1|2011-03-07 14:17:23
5|TEST2|2015-05-26 12:39:45