Custom Authorizer not being triggered

I am trying to implement a custom authorizer for my functions triggered via API Gateway (http event). However, it looks like the authorizer is not even being triggered when a request is made to the endpoint and the result always returns

  "message": "Unauthorized"
}

This is what I have setup so far:

  1. Authorizer definition inside serverless.yml
authenticate_validate:
    name: ${opt:stage}_auth_validate
    handler: api/auth/validate.validate
  1. Function to be authorized linked to the authorizer:
api_list:
    name: ${opt:stage}_list
    handler: api/list.list
    events:
      - http:
          path: v1/{resource}
          method: get
          cors:
            origins:
              - '*'
            headers:
              - Content-Type
              - X-Amz-Date
              - Authorization
              - X-Api-Key
              - X-Amz-Security-Token
          authorizer: authenticate_validate
  1. The authorizer function just returns a success document by default for testing purposes but this is a moot point because logs of the authorizer function ( ls logs -f authenticate_validate -t --stage dev ) show that it never gets triggered anyway.
  2. After sls deploy, the authorizer function is added as an authorizer as per the API Gateway console, and using the “Test your authorizer” input results in the log command above showing execution.
  3. If attempting to run the endpoint linked to the authorizer, no log output is produced at all for the function that should be triggered by the endpoint or the authorizer functions logs; i.e. the authorizer looks like it is never hit.

It seems to me that there is somethimng preventing API Gateway from communicating with the authorizer and therefore it automatically throws an Unauthorized error. As soon as I take the reference to the custom authorizer away from the function it works as intended (minus authorization obviously).

If anyone can help point me to where my problem may be that would be appreciated because I am stumped. I can find no log anywhere that shows me where the Unauthorized response is being generated so have no way to determine where the problem lies besides poking through the keyhole with a stick to see what squeals.

Hi @garethmcc ,
Just to make sure: Do you pass an authorization header (e.g. curl -v --header “Authorization: xyz” …/v1/x)? If not then your custom authorizer won’t get invoked at all and you’ll get a 403 with that message.

In case it helps, here’s an example (but it’s for Java): https://github.com/bbilger/jrestless-examples/tree/master/aws/gateway/aws-gateway-security-custom-authorizer

1 Like

Well slap me silly and call me Harriet. Thanks for pointing out the obvious. I knew it would be something as simple as that. As soon as I added an actual Authorization header to my request, suddenly my authorization function is logging.

Thanks so much bilger.

i am facing the same issue even when i pass the headers, what is the solution?

2 Likes