How to use Custom Authorizer on Api Gateway?

0
votes

Custom Authorization
Lambda Execution Role : Full Access Api Gateway and Lambda
Token Source: method.request.header.Authorization
Token Validation: blank

Add this custom authorization to api method request . Authorizers test is succes but ı request to api on Postman then 401. 

{
    "message": "Unauthorized"
}

Authorizers Test Image
Postman Image
Api Method Request Image

Custom Authorizer Lambda

console.log('Loading function');

exports.handler = function(event, context, callback) {
    
    console.log("event:",JSON.stringify(event));    console.log("event:",JSON.stringify(context));
    console.log('Client token: ' + event.authorizationToken);
    console.log('Method ARN: ' + event.methodArn);
callback(null, {
    "principalId": "18",
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1459758003000",
                "Effect": "Allow",
                "Action": [
                    "execute-api:Invoke"
                ],
                "Resource": [
                    "arn:aws:execute-api:*"
                ]
            }
        ]
    }
});

}

Postman Code:

    curl --request GET \
  --url {url} \
  --header 'authorization: Test Token' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --header 'postman-token: c9110a92-414e-e1aa-61fb-194758dace86'

Solution
Token Source: Authorization

3
amazon-web-servicesaws-lambdaaws-api-gateway

3 Answers

1
votes

API Gateway has changed, as of today Jan 18. Following needs to be know.

  1. If the Method's Integration Request is not lambda proxied. While creating custom authorier (in Authorizer tab) , you should enter Token Source as "Authorization" and not "method.request.header.Authorization". Also , in the Method Request tab of the method ( eg GET) , you should set the HTTP Header Mapping , for 'Authorization'.
  2. If the Method's Integration Request is proxied , no mapping is required. All the request body+header+parameter+AWSextraStuff is avaliable in the event[] object of lambda. Hence no mapping is required.

Few more pitfall be careful. - Use standard string like 'Authorization' ( which is a standard) , is you use different string , change every where. - The authorization token when passed to lambda, for no proxied integration request, as event['authorizationToken']and not event['Authorization'] - If you get error like Lambda Malform... , it is because you are using Lambda Proxy and it requires response in specific format, your not sending data in tha format. - If your using Postman , switch to 'raw' against 'pretty' mode.

0
votes

To call an API with the custom TOKEN authorizer

  • Open Postman, choose the GET method and paste the API's Invoke URL into the adjacent URL field.

Add the custom authorization token header and set the value to allow. Choose Send.

enter image description here

Worth read - http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html#call-api-with-api-gateway-custom-authorization

0
votes

You don't call the Custom Authorizer through Postman, that's API Gateways' job.

Every time that you call an endpoint protected by your custom authorizer the API Gateway will check if the value of the given Authorization Header exists in its Policies Cache. If the value does not exist, your Custom Authorizer will be called to authenticate the request.

A simple representation of the flow:

Lambda Handler (handles a protected endpoint GET /users/{id})
    |
    | ------------ 
    |            |
    |     Custom Authorizer
    |          /
    |         / (if the request is not authorized yet)
    |        /
 Api Gateway 
    |
    |
    |
Request (with Authorization Header)

You just have to set the Authorization of your resource method to your custom authorizer and let the API Gateway do all the work.