I'm trying to understand the authorizers in AWS Api Gateway. As I understand, if exception in the logic takes place in authorizer, then we would definitely get 401 with a message unauthorized. Is it possible to return bad request response, or unprocessable entity response?
I found that authorizers work a bit strange:
1) custom authorizers in Amazon API Gateway 500 error
2) https://forums.aws.amazon.com/message.jspa?messageID=753817
As of August 2023, having tried various experiments for a couple of weeks now, I also do not think it is possible to change the HTTP status code, e.g. to 400, in the Lambda authorizer directly.
For example Call an API with API Gateway Lambda authorizers only documents HTTP 200, 401, 403 and 500 as being possible. (414 may also be possible)
That stated, the terminology can be confusing, as:
I'll suggest the Lambda authorizer implementation presently reflects that (it's more like a custom authorizer than a Lambda[-based] authorizer in how it really can be configured - best of luck getting anything close to for example RFC 6750 Section 3.1!), so some guides on a similar area misleadingly suggest it's possible with lambda proxy integration or request/response mapping, which is true of API Gateway wired directly to AWS Lambda, not necessarily Lambda authorizer itself. Which is of course a shame because the promise of Lambda authorizer seemed to be to have all the auth code under one umbrella, for better or worse. Maybe AWS will at some point make a new version available that justifies the rename, though right now I don't see how it does.
Intuitively however, at this time, it makes sense as all we can do in returning output from a lambda authorizer is:
throw new Error('Unauthorized')
or (Python) raise Exception("Unauthorized")
which gets us 401If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With