How to configure CORS for an AWS API Gateway Custom Authorizer?

Question

I have an API powered by API Gateway and Lambda that uses a custom authorizer.

For successful requests, it passes through the authorizer and then my Lambda can return proper responses with CORS headers with no problems.

However, for unsuccessful authorizations (eg. invalid tokens), I get no CORS headers and that causes my client app (which uses fetch API) to throw.

How do I setup CORS for an API that uses a custom authorizer?

score 5 · Accepted Answer · edited Jul 23 '18 at 15:45

5

Based from this answer and this AWS documentation page, I was able to figure out how to solve it.

The solution is to add the following in my serverless.yml:

resources:
  Resources:
    AuthorizerApiGatewayResponse:
      Type: "AWS::ApiGateway::GatewayResponse"
      Properties:
        ResponseParameters:
          "gatewayresponse.header.Access-Control-Allow-Origin": "'*'"
        ResponseType: UNAUTHORIZED
        RestApiId: {"Ref" : "ApiGatewayRestApi"}
        StatusCode: "401"

edited Jul 23 '18 at 15:45

ceilfors

2,617
23
33

answered Sep 27 '17 at 05:58

Noel Llevares

15,018
3
57
81

2

Any idea what the appropriate way to handle this would be if I am also using withCredentials (disallowing *), but have multiple origins? – Keylan Jul 19 '18 at 17:08
Actually found a better solution via the Serverless Blog https://serverless.com/blog/cors-api-gateway-survival-guide/#cors-with-custom-authorizers – Chris Feist Mar 15 '19 at 16:50

How to configure CORS for an AWS API Gateway Custom Authorizer?

1 Answers1