AWS API Gateway provides an option to use custom authorization via Lambda function. In this approach, user is expected to a configure a custom header name (Example: Auuthorization or Auth). This header value be extracted by Gateway and passed on to Lambda Event.
However, Gateway is searching for incoming headers case sensitively. I.e if user specifies the header as authorization instead of Authorization, Gateway returns 401. Why does this search case sensitively when http protocol states that headers can be case insensitive.
API Gateway enacts the following restrictions and limitations when handling methods with either Lambda integration or HTTP integration. Header names and query parameters are processed in a case-sensitive way.
The default behavior of the HTTP Headers is case insensitive, the headers should be accessible within the flow using any case.
To pass custom headers from an API Gateway API to a Lambda function, use a body mapping template. The API sends the updated API request to a Lambda function to process the headers. Then, the Lambda function returns one or more header values from the original API request.
Yep this is a known issue with the customer authorizer, and also the header mapping functionality in API Gateway. Header matches are case sensitive, which as you stated is against the spec. I don't have an ETA for fixing this but it is a known issue that we would like to fix.
Edit: This should now be resolved. The custom authorizer header match is case insensitive.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With