https://descope.com logo
Join Slack
Powered by
Is there something extra I need to do to allow my ...
# ask-a-descoper
s
Is there something extra I need to do to allow my AWS lambda function to authenticate with descope? It keeps freezing on the 
descope_client.validate_session(session_token)
line with valid inputs whereas locally it works just fine. This could also just be a internet access issue on my end but I wanted to double check here since that route isn't working as expected.
1
s
Can the lambda hit other apis ? What error you get ?
s
No error, it just times out. Let me check on the other apis
@square-vr-55083 Yes it can query other apis
s
Ok, can you try again ? And place the code snippet here ?
s
Copy code
client = DescopeClient(project_id='')
    # Extract the 'Cookie' header from the event
     headers = event.get("headers", {})
     ds_token = headers.get("authorization", "0 0").split(" ")[1]
    print(ds_token) 
    jwtdict = client.validate_session(session_token=ds_token)
s
Just pkz remove tokens and project id
s
I had the token hard coded in there in case my pulling it from the headers wasn't working as expected and still got a "Task timed out after 10.01 seconds" error
When the token isn't valid it takes less than 3 seconds
That's weird. I just uploaded a new token that works when I run the code locally, but on the lambda I get this error:
Copy code
{
  "errorMessage": "{'status_code': 401, 'error_type': 'invalid token', 'error_message': \"Invalid session token: {'status_code': 500, 'error_type': 'invalid public key', 'error_message': 'Unable to validate public key. Public key not found.'}\"}",
  "errorType": "AuthException",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 14, in lambda_handler\n    jwtdict = client.validate_session(session_token=ds_token)\n",
    "  File \"/var/task/descope/descope_client.py\", line 186, in validate_session\n    return self._auth.validate_session(session_token)\n",
    "  File \"/var/task/descope/auth.py\", line 528, in validate_session\n    401, ERROR_TYPE_INVALID_TOKEN, f\"Invalid session token: {e}\"\n"
  ]
}
s
Remember the access token has 10 min validity
Will expire after that
s
Right, but the same session token authenticates correctly when I run this code in my local browser
s
Ok, will need to try replicating it
@salmon-night-88354 @dazzling-oyster-96577 if you tried this in lambda, plz share
@steep-keyboard-7095 is your project id ends with
s
j8yjSes
s
ASNT
Ohh ok, let me check
s
I noticed that when I initialize the descope client, I only put in the project_id, but there are fields for the public_key and the management_key. Does that have anything to do with it?
s
Mgmt key not relevant for your use case
Public key , you can use, it will spare you the need to hit our endpoints for session validation
s
Where do I get that? Could you explain to me how these 2 keys work under the hood?
o
@steep-keyboard-7095 management keys are special tokens that let you control console settings through the api Read more here https://docs.descope.com/manage/
The public key is the key used to validate the jwt signed by the private key that is safely stored with descope. When you first validate a key the SDK fetches the current public key from the descope api, so you don't need to hardcode it. It might also rotate for various reasons so hardcoding it is not recommended and used mostly for debugging and troubleshooting
Regarding your lambda hang, can you determine the exact function call that hangs? You could use printing to see what runs and what doesn't
s
Thanks omer, I've done that and it hangs on the validate_session function call
o
Can you turn on debug logs?
s
I've already copied and paste it all the debug logs that I get into this thread but I can do it again
o
I'm sorry for my confusion, does it hang or throw an error ?
s
There seem to be 2 things that I've noticed with this bug and the code doesn't change between these 2 behaviors. 1. it hangs. or 2. it gives this error:
Copy code
[ERROR] AuthException: {'status_code': 401, 'error_type': 'invalid token', 'error_message': "Invalid session token: {'status_code': 500, 'error_type': 'invalid public key', 'error_message': 'Unable to validate public key. Public key not found.'}"}
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 13, in lambda_handler
    jwtdict = client.validate_session(session_token=ds_token)
  File "/var/task/descope/descope_client.py", line 186, in validate_session
    return self._auth.validate_session(session_token)
  File "/var/task/descope/auth.py", line 528, in validate_session
    401, ERROR_TYPE_INVALID_TOKEN, f"Invalid session token: {e}"
[ERROR] AuthException: {'status_code': 401, 'error_type': 'invalid token', 'error_message': "Invalid session token: {'status_code': 500, 'error_type': 'invalid public key', 'error_message': 'Unable to validate public key. Public key not found.'}"} Traceback (most recent call last):  File "/var/task/lambda_function.py", line 13, in lambda_handler    jwtdict = client.validate_session(session_token=ds_token)  File "/var/task/descope/descope_client.py", line 186, in validate_session    return self._auth.validate_session(session_token)  File "/var/task/descope/auth.py", line 528, in validate_session    401, ERROR_TYPE_INVALID_TOKEN, f"Invalid session token: {e}"
But when it throws that error, I test out the session token with the same code locally and it works
o
Try setting an env var in the lambda settings 
DESCOPE_BASE_URI = <https://api.descope.com>
s
Done. When I run the code in the lambda I get the same error: Task timed out after 10.01 seconds When I run it locally I get success message
o
Notice my edit to the last message 
URI
not 
URL
s
Ok, testing it now with 
DESCOPE_BASE_URI = <https://api.descope.com>
Same issue
o
Ok Let me try and reproduce this issue , few mins
s
Here's my py file
lambda_function.py
I took out the tokens
I've configured a function URL to my lambda function and it's in a VPC, although I can successfully query a different public API so that's not the issue
o
do you use a zip with runtime or a docker image?
s
zip
I can give you the zip if you like
o
sure that would help
s
o
I think this might be related to the cryptography version and lambda runtime, please allow me to investigate further and will get back to you tomorrow
s
When I do the pip install descope --target ./package command to build the zip I do get this error:
Copy code
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
conda-repo-cli 1.0.4 requires pathlib, which is not installed.
anaconda-project 0.10.2 requires ruamel-yaml, which is not installed.
aiohttp 3.8.1 requires charset-normalizer<3.0,>=2.0, but you have charset-normalizer 3.1.0 which is incompatible.

Successfully installed PyJWT-2.6.0 certifi-2023.5.7 cffi-1.15.1 charset-normalizer-3.1.0 cryptography-40.0.2 descope-1.5.0 dnspython-2.3.0 email-validator-1.3.1 idna-3.4 pycparser-2.21 requests-2.28.2 urllib3-1.26.15
But it exits normally
o
that’s odd - we don’t use 
conda-repo-cli
in our sdk
s
When I first got the packages for descope and uploaded them with the .py file, I did get this error in testing if that helps.
Copy code
pip install descope --target ./package
{
  "errorMessage": "Unable to import module 'lambda_function': cannot import name 'ObjectIdentifier' from 'cryptography.hazmat.bindings._rust' (unknown location)",
  "errorType": "Runtime.ImportModuleError",
  "stackTrace": []
}
This error goes away if I use a venv btw
Copy code
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
conda-repo-cli 1.0.4 requires pathlib, which is not installed.
anaconda-project 0.10.2 requires ruamel-yaml, which is not installed.
aiohttp 3.8.1 requires charset-normalizer<3.0,>=2.0, but you have charset-normalizer 3.1.0 which is incompatible.
I tried to make it from scratch again, but ran into a different problem. Hopefully all this info I'm giving you can help you reproduce it
package.zip
I found that the cryptography package issue with the error message as described above is gone when I force install cryptography package 3.4.8
Here's the updated package
my-deployment-package.zip
s
So now It works ?
s
No
I get the same issue that this code in a virtual environment works on my local computer but not in AWS, I keep getting the AuthException error as stated above in the lambda, but a successful authentication locally
This is the last piece of the puzzle for me before I can launch my business, so thank you in advance for helping me solve this
@orange-belgium-27264 @square-vr-55083 Any progress? To reiterate, my issue is that the descopeClient.validate_session function call works locally, but not in my lambda function with the same credentials and code. I tried using a lambda layers and landed a few debug logs. Do they help?
Copy code
y", line 8, in <module>
import jwt
File "/opt/python/lib/python3.10/site-packages/jwt/__init__.py", line 1, in <module>
from .api_jwk import PyJWK, PyJWKSet
File "/opt/python/lib/python3.10/site-packages/jwt/api_jwk.py", line 6, in <module>
from .algorithms import get_default_algorithms
File "/opt/python/lib/python3.10/site-packages/jwt/algorithms.py", line 6, in <module>
from .utils import (
File "/opt/python/lib/python3.10/site-packages/jwt/utils.py", line 7, in <module>
from <http://cryptography.hazmat.primitives.asymmetric.ec|cryptography.hazmat.primitives.asymmetric.ec> import EllipticCurve
File "/opt/python/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 10, in <module>
from cryptography.hazmat._oid import ObjectIdentifier
File "/opt/python/lib/python3.10/site-packages/cryptography/hazmat/_oid.py", line 7, in <module>
from cryptography.hazmat.bindings._rust import (
pyo3_runtime.PanicException: Python API call failed
ModuleNotFoundError: No module named '_cffi_backend'
thread '<unnamed>' panicked at 'Python API call failed', /github/home/.cargo/registry/src/index.crates.io-6f17d22bba15001f/pyo3-0.15.2/src/err/mod.rs:582:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last):
File "/var/runtime/bootstrap.py", line 60, in <module>
main()
File "/var/runtime/bootstrap.py", line 57, in main
awslambdaricmain.main([os.environ["LAMBDA_TASK_ROOT"], os.environ["_HANDLER"]])
File "/var/runtime/awslambdaric/__main__.py", line 21, in main
bootstrap.run(app_root, handler, lambda_runtime_api_addr)
File "/var/runtime/awslambdaric/bootstrap.py", line 389, in run
request_handler = _get_handler(handler)
File "/var/runtime/awslambdaric/bootstrap.py", line 39, in _get_handler
m = importlib.import_module(modname.replace("/", "."))
File "/var/lang/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/var/task/lambda_function.py", line 2, in <module>
from descope import DescopeClient, AuthException
File "/opt/python/lib/python3.10/site-packages/descope/__init__.py", line 10, in <module>
from descope.descope_client import DescopeClient
File "/opt/python/lib/python3.10/site-packages/descope/descope_client.py", line 5, in <module>
from descope.auth import Auth  # noqa: F401
File "/opt/python/lib/python3.10/site-packages/descope/auth.py", line 8, in <module>
import jwt
File "/opt/python/lib/python3.10/site-packages/jwt/__init__.py", line 1, in <module>
from .api_jwk import PyJWK, PyJWKSet
File "/opt/python/lib/python3.10/site-packages/jwt/api_jwk.py", line 6, in <module>
from .algorithms import get_default_algorithms
File "/opt/python/lib/python3.10/site-packages/jwt/algorithms.py", line 6, in <module>
from .utils import (
File "/opt/python/lib/python3.10/site-packages/jwt/utils.py", line 7, in <module>
from <http://cryptography.hazmat.primitives.asymmetric.ec|cryptography.hazmat.primitives.asymmetric.ec> import EllipticCurve
File "/opt/python/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 10, in <module>
from cryptography.hazmat._oid import ObjectIdentifier
File "/opt/python/lib/python3.10/site-packages/cryptography/hazmat/_oid.py", line 7, in <module>
from cryptography.hazmat.bindings._rust import (
pyo3_runtime.PanicException: Python API call failed
START RequestId: 93f1e34f-39da-4833-89a5-fbbedb4ab2a2 Version: $LATEST
RequestId: 93f1e34f-39da-4833-89a5-fbbedb4ab2a2 Error: Runtime exited with error: exit status 1
Runtime.ExitError
END RequestId: 93f1e34f-39da-4833-89a5-fbbedb4ab2a2
REPORT RequestId: 93f1e34f-39da-4833-89a5-fbbedb4ab2a2	Duration: 4389.90 ms	Billed Duration: 4390 ms	Memory Size: 128 MB	Max Memory Used: 18 MB
s
Hey @steep-keyboard-7095 We had a a bit of a busy day here, so we will test deeply tomorrow this one In meantime, can you try to fetch your public key, using https://docs.descope.com/api/openapi/sessiongetkeys/operation/GetKeysV2/ (using curl, not in lambda)? after you fetch the public key, use it as an argument to your descope client init , inside your lambda plz
👍 1
s
Ok, so I ran the code and passed through the public key json file and got a new error! This situation is interesting because if I use cryptography v3.4.8 then I get this error 
"errorMessage": "No module named 'cryptography.hazmat.bindings._openssl'",
But if I use v35.0.0 or higher then I get this error 
"errorMessage": "Unable to import module 'lambda_function': cannot import name 'asn1' from 'cryptography.hazmat.bindings._rust' (unknown location)",
@orange-belgium-27264 @square-vr-55083 Great news! I solved the issue birthday party parrot and I did it using the version of cryptography used by descope. The problem seems to be that not all of the cryptography package gets properly loaded into the site-packages when you package it up to deploy it to AWS, I'm still a bit fuzzy on what and why. The solution is (please put this in documentation somewhere) to use 2 Lambda Layers. First is one with the properly installed cryptography package. There's one online that you can use here: https://github.com/keithrozario/Klayers/tree/master#using-the-layers Make sure that the same python runtime and the region that your lambda is configured for/in. The second layer is the descope site packages with the cryptography packages removed. The commands would be 
pip install --target ./python/lib/python3.9/site-packages/ descope
then navigate down there: 
cd python/lib/python3.9/site-packages
and remove the cryptography packages: 
rm -r cryptography*
rm -r cffi*
rm -r pycparser*
Of course, replace python3.9 with whatever your operating system version of python is (which must match the lambda function) Finally now that the package is ready, navigate up to the top folder and zip the python folder you created in the first step. Then create a new lambda layer and upload this package to it. Then to make it work for the lambda function, all you have to do is create the function, go to the bottom and add the 2 layers and then it works
And in case you're wondering, this method works with both specifying and not specifying the public key
s
Great news !! @dazzling-oyster-96577 @salmon-night-88354 can you plz have the above documented
👍 1
o
thanks great @steep-keyboard-7095! that was my first suspicion, cryptography is built during installed so moving it between CPU architectured is tricky we’ll work to provide a more coherent error when this happens (@important-microphone-85224 FYI) and perhaps even a lambda layer to ease the deployment
1
Open in Slack
PreviousNext
Powered by