4

I'm trying to understand the authorizers in AWS Api Gateway. As I understand, if exception in the logic takes place in authorizer, then we would definitely get 401 with a message unauthorized. Is it possible to return bad request response, or unprocessable entity response?

I found that authorizers work a bit strange:

1) custom authorizers in Amazon API Gateway 500 error

2) https://forums.aws.amazon.com/message.jspa?messageID=753817

Rostislav V
  • 1,706
  • 1
  • 19
  • 31

2 Answers2

1

It is possible. There are multiple solutions.

  1. The lambda function can throw a custom exception and you can perform exception based catch in the API gateway to send 400 status code.

  2. Use the deny response but in the context have the reason for deny. When deny happens, code can check for the reason in context and return appropriate response.

Please refer to below links for exception mapping https://docs.aws.amazon.com/apigateway/latest/developerguide/handle-errors-in-lambda-integration.html#handle-custom-errors-in-lambda-integration

http://awspapers.blogspot.com/2018/08/integrate-api-with-lambda-part-5.html

Ram K
  • 31
  • 2
1

As of August 2023, having tried various experiments for a couple of weeks now, I also do not think it is possible to change the HTTP status code, e.g. to 400, in the Lambda authorizer directly.

For example Call an API with API Gateway Lambda authorizers only documents HTTP 200, 401, 403 and 500 as being possible. (414 may also be possible)

That stated, the terminology can be confusing, as:

  1. Lambda authorizer is formerly known as a custom authorizer
  2. AWS API Gateway defines a Lambda custom integration
  3. Lambda custom integration is itself as distinct from Lambda proxy integration

I'll suggest the Lambda authorizer implementation presently reflects that (it's more like a custom authorizer than a Lambda[-based] authorizer in how it really can be configured - best of luck getting anything close to for example RFC 6750 Section 3.1!), so some guides on a similar area misleadingly suggest it's possible with lambda proxy integration or request/response mapping, which is true of API Gateway wired directly to AWS Lambda, not necessarily Lambda authorizer itself. Which is of course a shame because the promise of Lambda authorizer seemed to be to have all the auth code under one umbrella, for better or worse. Maybe AWS will at some point make a new version available that justifies the rename, though right now I don't see how it does.

Intuitively however, at this time, it makes sense as all we can do in returning output from a lambda authorizer is:

  1. return a policy statement, that gets us either Allow = 200 or Deny = 403
  2. (TS/JS) throw new Error('Unauthorized') or (Python) raise Exception("Unauthorized") which gets us 401
  3. return badly formatted output or raise any other exception, which gets us 500 AuthorizerConfigurationException
  4. possibly 414 Request URI too long
pzrq
  • 1,626
  • 1
  • 18
  • 24