17

I have an API gateway setup with a Custom Authorizer that calls a Lambda function. For testing purposes I copied the example from here: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html#api-gateway-proxy-integration-lambda-function-nodejs

I get the same answer as in the documentation but when I test the authorizer I get this stacktrace:

    Endpoint request body after transformations: {"type":"TOKEN","authorizationToken":"test","methodArn":"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/"}
    Authorizer result body before parsing: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
    Execution failed due to configuration error: Invalid JSON in response: {"statusCode":200,"headers":{"x-custom-header":"my custom header value"},"body":"{\"message\":\"Hello World!\",\"input\":{\"type\":\"TOKEN\",\"authorizationToken\":\"test\",\"methodArn\":\"arn:aws:execute-api:ap-southeast-2:893445519708:uyue0zqh15/null/GET/\"}}"}
    AuthorizerConfigurationException

Why doesn't the authorizer like the JSON response?

Improve this question

2 Answers 2

Reset to default
26

The authorizer response format is not the same as the integration proxy response format. I can see this is confusing!

The output of a custom authorizer should conform to this format:

{
  "principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client.
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow|Deny",
        "Resource": "arn:aws:execute-api:<regionId>:<accountId>:<appId>/<stage>/<httpVerb>/[<resource>/<httpVerb>/[...]]"
      }
    ]
  },
  "context": {
    "key": "value",
    "numKey": 1,
    "boolKey": true
  }
}

The principalId and policyDocument are required, and context is optional.

UPDATE:

The policyDocument is not user defined, it's the same syntax as a regular IAM policy that operates on the API Gateway actions and resources http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

There are also great blueprints in the Lambda web console for authorizers in python and node, and there is a Java blueprint here: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints

Improve this answer
1
  • hi jack, I couldnt find any policyDocument class in aws-sdk, is that something in latest version or supposed to be a user-defined class ?
    – Sagar Jani
    Commented Sep 21, 2017 at 7:50
24

I just ran into the same error but in my case the problem was that context was too complex - apparently it cannot contain array or object-valued keys.

This is documented here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

Notice that you cannot set a JSON object or array as a valid value of any key in the context map.

(I was trying to set a decoded JWT as the context, which has an array-valued roles key. I'm now sending the encoded JWT instead)

Improve this answer
1
  • 1
    Thank you (endless) for saving my 3rd day of "trying to fix" the 500 error in response to WS connect
    – Simon
    Commented Sep 1, 2021 at 23:44

Not the answer you're looking for? Browse other questions tagged or ask your own question.