Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Return bad request response at lambda authorizer. Is it possible?

I'm trying to understand the authorizers in AWS Api Gateway. As I understand, if exception in the logic takes place in authorizer, then we would definitely get 401 with a message unauthorized. Is it possible to return bad request response, or unprocessable entity response?

I found that authorizers work a bit strange:

1) custom authorizers in Amazon API Gateway 500 error

2) https://forums.aws.amazon.com/message.jspa?messageID=753817

like image 915
Rostislav V Avatar asked Sep 01 '25 02:09

Rostislav V


1 Answers

As of August 2023, having tried various experiments for a couple of weeks now, I also do not think it is possible to change the HTTP status code, e.g. to 400, in the Lambda authorizer directly.

For example Call an API with API Gateway Lambda authorizers only documents HTTP 200, 401, 403 and 500 as being possible. (414 may also be possible)

That stated, the terminology can be confusing, as:

  1. Lambda authorizer is formerly known as a custom authorizer
  2. AWS API Gateway defines a Lambda custom integration
  3. Lambda custom integration is itself as distinct from Lambda proxy integration

I'll suggest the Lambda authorizer implementation presently reflects that (it's more like a custom authorizer than a Lambda[-based] authorizer in how it really can be configured - best of luck getting anything close to for example RFC 6750 Section 3.1!), so some guides on a similar area misleadingly suggest it's possible with lambda proxy integration or request/response mapping, which is true of API Gateway wired directly to AWS Lambda, not necessarily Lambda authorizer itself. Which is of course a shame because the promise of Lambda authorizer seemed to be to have all the auth code under one umbrella, for better or worse. Maybe AWS will at some point make a new version available that justifies the rename, though right now I don't see how it does.

Intuitively however, at this time, it makes sense as all we can do in returning output from a lambda authorizer is:

  1. return a policy statement, that gets us either Allow = 200 or Deny = 403
  2. (TS/JS) throw new Error('Unauthorized') or (Python) raise Exception("Unauthorized") which gets us 401
  3. return badly formatted output or raise any other exception, which gets us 500 AuthorizerConfigurationException
  4. possibly 414 Request URI too long
like image 190
pzrq Avatar answered Sep 02 '25 16:09

pzrq