Custom response Lambda Authorizer for 401

Question

Calling the Lambda callback function from a Lambda Authorizer with the string Unauthorized in the error parameter returns a 401 response with the body:

{ "message": "Unauthorized" }

Trying to use any other string in the response results in the response:

{ "message": null }

If instead you return a Deny Policy Document in the result parameter of the callback, you'll get a 403 with the response something like:

{ "message": "Unable to access resource with an explicit deny" }

After looking around it seems you need to configure a Gateway Response to return a custom response from a Lambda Authorizer, which I have working for the 403 response, but can't figure out how to do this for a 401.

For the 403 I created a Gateway Response with the template:

{\"message\":\"$context.authorizer.stringKey\"}

Then on the result object I set the following

ResultObject.context.stringKey = 'My custom response'

This works and is documented here.

However, for the 401, because I am not returning a policy document I don't know how to use a custom response. I created the same Gateway Response as I did for the 403, but if I hit the callback with any string (other than 'Unauthorized') in the error param I get the null message. I can't return in the result param because this needs to be a response structure containing the Policy Document.

Any ideas on how I can return a custom response with a 401?

Answer 1

Sorry to not answer your direct question, but I do think people (like me) might encounter this thread when looking on how to implement the first part of your question (return a 401 response from the authorizer lambda). You can follow AWS example here.

TL;DR:

For async functions, throw an error whose message exactly match the string "Unauthorized":

exports.handler = async function (event) {
  ...
  throw Error("Unauthorized");
}

For sync. functions, call the callback function with its first parameter (the error response) exactly match the string "Unauthorized":

exports.handler =  function(event, context, callback) {
  ..
  callback("Unauthorized");  // Compared to a successful response `callback(null, ...)`
}

In both cases the response from the API gateway endpoint protected by your authorizer lambda would be:

401
{
  "message": "Unauthorized"
}

Answer 2

You need to raise an exception, so when using node:

context.fail("Unauthorized");

For C# see http://yogivalani.com/aws-custom-lambda-authorizer-returns-401-unauthorized/