Api gateway custom authorizer caching problems

Hi guys I did the implamentation to use custom authorizer for the api gateway, and I was testing with the policy

{
  principalId: userId,
  policyDocument: {
    Version: '2012-10-17',
    Statement: [
      {
        Action: 'execute-api:Invoke',
        Effect: 'Allow',
        Resource: event.methodArn,
      },
    ]
  }
}

and was working, then I force an error to switch the effect to Deny, but now all the requests are returning Unauthorized.

I see that is not even calling the authorizer function anymore.

Is this cached?
How I make it work again?

Thanks,

:wink:

There are 2 resolutions.

  1. return the entire security policy for the user for all endpoints of your api.
  2. donā€™t cache the policy.

I prefer #2 myself and you can do it in your serverless.yml where you define your function(s).
Example:

functions:
  jwtAuth:
    handler: auth/jwt.handler

  doSomething:
    handler: myCode.doSomething
    events:
      - http:
          path: /dosomething
          method: post
          cors: true
          authorizer:
            name: jwtAuth
            resultTtlInSeconds: 0

The key bit being resultTtlInSeconds: 0

Hope this helps.

2 Likes

I am having similar issues as of January 2021.

The issue is two fold. One, the resultTtlInSeconds is set on every endpoint in the serverless.yml file yet in AWS Console I can see that only one custom authorizer with only one TTL gets created, so the fact that I am setting the resultTtlInSeconds in all n of my endpoints makes no sense.

Secondly, everything was working fine for me with a resultTtlInSeconds: 3600 setting until recently when it randomly decided to reject every request as unauthorized. The solution was the change it to 0, but that means that there is no caching even for identical requests (not good if you custom authorizer calls DynamoDB, for example).

This is an old thread but hopefully someone can either benefit from the clarity or can help us understand what is going on here.