How to enable CORS for custom authorizers ? (AWS API Gateways)

I’m trying to implement a basic custom authorizer but I have an issue with cors when the authorizer don’t authorize the API call :
I get the expected 401 status code but there are no Access-Control-Allow-Origin header in the response, then I can’t handle it in my front-end code…

I didn’t find any mention of cors attribute in the serverless doc for the authorizer itself, so how can I tell it to add the correct header for “non authorized” responses ?

Thanks in advance
Stephane

1 Like

Hi @stephanechauvin,
Unfortunately you can’t, that’s a limitation in API gateway and a pain-point for a lot of users.
https://forums.aws.amazon.com/thread.jspa?messageID=728839

2 Likes

Ok thx bbilger.

Incredible that AWS isn’t able to quickly address this kind of issue ! :worried:

Things have changed, AWS finally fixed this thing, but I am not sure how to implement it with serverless.
Does anybody have an idea?
Thank you

@RastoStric I have the same question

Did you figure out how to return cors headers from authorizer?

After hours of searching… The answer is here: https://github.com/serverless/serverless/issues/3896#issuecomment-326721971

2 Likes

Thanks for sharing, I didn’t know it! :+1:

1 Like