17

I have an API gateway setup with a Custom Authorizer that calls a Lambda function. For testing purposes I copied the example from here: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html#api-gateway-proxy-integration-lambda-function-nodejs

I get the same answer as in the documentation but when I test the authorizer I get this stacktrace:

    Endpoint request body after transformations: {"type":"TOKEN","authorizationToken":"test","methodArn":"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/"}
    Authorizer result body before parsing: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
    Execution failed due to configuration error: Invalid JSON in response: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
    AuthorizerConfigurationException

Why doesn't the authorizer like the JSON response?

Improve this question

2 Answers 2

Reset to default
27

The authorizer response format is not the same as the integration proxy response format. I can see this is confusing!

The output of a custom authorizer should conform to this format:

{
  "principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client.
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow|Deny",
        "Resource": "arn:aws:execute-api:<regionId>:<accountId>:<appId>/<stage>/<httpVerb>/[<resource>/<httpVerb>/[...]]"
      }
    ]
  },
  "context": {
    "key": "value",
    "numKey": 1,
    "boolKey": true
  }
}

The principalId and policyDocument are required, and context is optional.

UPDATE:

The policyDocument is not user defined, it's the same syntax as a regular IAM policy that operates on the API Gateway actions and resources http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

There are also great blueprints in the Lambda web console for authorizers in python and node, and there is a Java blueprint here: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

hi jack, I couldnt find any policyDocument class in aws-sdk, is that something in latest version or supposed to be a user-defined class ?
24

I just ran into the same error but in my case the problem was that context was too complex - apparently it cannot contain array or object-valued keys.

This is documented here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

Notice that you cannot set a JSON object or array as a valid value of any key in the context map.

(I was trying to set a decoded JWT as the context, which has an array-valued roles key. I'm now sending the encoded JWT instead)

Improve this answer

1 Comment

Thank you (endless) for saving my 3rd day of "trying to fix" the 500 error in response to WS connect

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.