I'm trying to implement Basic authentication, using this article as inspiration:
https://medium.com/#Da_vidgf/http-basic-auth-with-api-gateway-and-serverless-5ae14ad0a270
The application sets up as described:
WWW-Authenticate in the 401 response
Request Authorizer set up in the Authorizer section
Tie the authorizer to my endpoint, on the ANY method execution
I can test my custom authorizer using the Test feature under Authorizers successfully but when I call the API using curl (or anything else) there is no authentication. The authorizer lambda doesn't get called and there are no logs in CloudWatch.
Any idea where I could look next?
Remember to deploy API Gateway to apply settings before test.
Related
I have a lambda function with an authorizer sitting within an API gateway.
I notice that when I call the lambda function, on the first request the authorizer is invoked as expected, authorization passes, IAM role is assumed and grants access to the lambda function.
However, on subsequent requests, the authorizer is not invoked.
I assume this is due to authorization caching.
However, in the AWS console, in API gateway > Authorizers the authorizer has the following configuration:
Authorizer ID: iiii2l
Lambda Function
foo-authorizerV1-dev-authorizer (eu-west-1)
Lambda Invoke Role
arn:aws:iam::0000000:role/foo-authorizerV1-dev-AuthorizerRole-AAAAAAA
Lambda Event Payload
Request
Identity Sources
deviceID (header)
Authorization Caching
Authorization not cached
I would have thought Authorization Caching being set to Authorization not cached would mean that the authorizer would be invoked on every request.
Am I missing something here?
If caching is not enabled then API Gateway will call the authorizer on each request.
If you've made a change to the API Gateway in the console but haven't yet deployed the API it might seem like you have one thing configuration but behavior for another. I would check that the current configuration is deployed and retest.
We've created a Websocket API through AWS Gateway that connects to a Lambda function, but in order to authorize the connection/API-request we need to create a lambda authorizer that is hit before the Lambda function. For now, this is the only option that AWS gives to authorize requests via gateway websocket connection. Hooking up the lambda authorizer is simple, but for some reason the AWS console is reporting an error that doesn't make any sense since the authorizer is attached to the $connect route
The authorizer has all the necessary permissions. I tried to conduct a simple sanity test and log the event that was being passed in, but the lambda authorizer is being completely ignored. Aside from the Lambda authorizer, the websocket API and Lambda function work together without any issues. There just seems to be a problem reaching the lambda authorizer.
If you have any idea why this is is happening, please let me know what we're doing wrong.
When using a AWS Cognito attribute from a JWT token in a lambda, do I need to verify the JWT? The Lambda is only triggered by an API Gateway which already verifies the token.
Adding details:
- I'm using Cognito Authorizer in the API Gateway to verify the token.
- The lambda is connected to the API Gateway as proxy.
No you don't need to verify the JWT in backend lambda if protected by a custom lambda authorizer by API Gateway. I would suggest you to use REQUEST based lambda authorizer and attach attributes in the response. So your backend lambda will be able to access attributes in event.requestContext.authorizer['your_attribue'].
This will also enable you to test your Lambda in isolation without needing to get attribute from JWT. You can always mock the event object for unit testing.
I ran into the same conundrum, and was trying to find documented confirmation that, within the Lambda, I wouldn't have to do any validation on my own, and that I can safely rely on the the token / claims being genuine. Unfortunately, nothing in the AWS documentation or the forum posts that I've seen so far has explicitly confirmed this.
But I did find something similar for GCP, and how the API Gateway there validates the JWT. From the GCP documentation:
To authenticate a user, a client application must send a JSON Web
Token (JWT) in the authorization header of the HTTP request to your
backend API. API Gateway validates the token on behalf of your API, so
you don't have to add any code in your API to process the
authentication. However, you do need to configure the API config for
your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWT
issuer's JSON Web Key Set (JWKS). The location of the JWKS is
specified in the x-google-jwks_uri field of the gateway's API config.
API Gateway caches the JWKS for five minutes and refreshes it every
five minutes.
So, it seems that within GCP at least, we don't have to do anything, and the API Gateway will handle everything. Even though this is not a confirmation that this is how it works in AWS as well, but the fact that this is how it works in GCP, it gives me some more confidence in assuming that it must be so in AWS too.
To start off with, i am pretty new to AWS. Started with pretty basic API Gateway + Lambda integration. Below are my use cases.
Created a Lambda proxy Integration request with API Gateway, GET request which outputs the addition of 2 numbers passed through query parameters. Now if i access this API Gateway endpoint I am getting the desired result.
Now I have created custom authorizer, which is in turn a call to another lambda.
So a request will be validated by authorizer lambda prior hitting API Gateway endpoint. In this case authorizer is not invoked at all.
I have enabled Cloudwatch logs for API gateway & lambda, so below are issues i am facing,
Cloudwatch logs to API Gateway end point does not show the call to custom authorizer lambda.
Logs to end point lambda is seen correctly in lambda group, but unable to see the same for authorizer lambda.
I have followed the below AWS documentation nothing seems to help.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
Below is the API Gateway config. The authorizer configured is having a header token called 'Authorization', consumer of the API should provide the Authorization token while calling the endpoint, which is supposed to validated by Authorizer.
API Gateway Logs - Lambda configured was called directly without invoking Authorizer.
As mentioned by #Anup in the comments, you probably need to re-deploy the stage for the changes to take effect.
In my case I setup everything in terraform and couldn't figure out why the custom authenticater wasn't being called.
After adding variables to the deployment to trigger a redeployment, the custom authenticater was properly called as expected.
Make sure your lambda and gateway authorizer are correctly configured. A couple suggestions:
Verify if your lambda has the API gateway trigger. The trigger is created automatically when you assign your authorizer to a valid lambda function in the API gateway authorizer settings.
Verify if your lambda has a valid handler. The current assigned handler can be seen in your lambda's configuration page.
Make sure the Method Request Authorization of your resource is set to the correct authorizer
Deploy the gateway to guarantee the current API stage is using the displayed settings.
Even if your authorizer code doesn't work properly you should at least see an execution log in CloudWatch.
Just managed to solve the same problem. The request invoke authorizer sometimes but sometimes not.
When you create a custom authorizer, it automatically turns on the authorization caching. The default TTL is 300s.
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
My Flask app users Facebook OAuth 2 for authorization and is deployed on API Gateway and Lambda with Zappa. The app needs to request an authorizer token and I think I need to use a custom authorizer for this as the normal lambda cannot make external requests. I have setup the resource and linked it to the custom authorizer and that to my authorizer lambda, but I am getting an error and the lambda authorizer does not appear to have been called. What am I doing wrong?
Thanks
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/endpoint+error.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/no+events+in+lambda+monitoring.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/custom+autorizer.png
https://s3-eu-west-1.amazonaws.com/aws-api-gateway-support/api+gateway+resource+setup.png