Amazon API Gateway - Gateway Responses Ordering

0
votes

I have setup my API at Amazon API Gateway and the Gateway Responses part seems to be a bit confusing.

There are a lot of default responses defined here along with the HTTP Return Code:

  • Access Denied (403)
  • Invalid API Key (403)
  • Invalid Signature (403)
  • Missing Authentication Token (403)
  • Unauthorized (401)

Is there any logic of which response is returned upon which condition? I have done my tests and I wasn't able to find a pattern.

  1. No API Key + Valid URL: Invalid API Key
  2. No API Key + Invalid URL: Missing Authentication Token
  3. Good API Key + Invalid URL: Missing Authentication Token

Is there any specific pattern here?

Thanks, Guven.

1
amazon-web-servicesaws-api-gateway
You're probably confused because it returns "Missing Authentication Token" for errors that are unrelated to Authentication Token. If you try to access an inexistent endpoint, instead of returning a 404 Not Found error, it returns the "Missing Authentication Token". I know, it's stupid, but it's how it works...Renato Byrro
There's actually a good reason behind returning a 403 (Missing Authentication Token) for non-existing methods (security). This is the thread explaining it: forums.aws.amazon.com/thread.jspa?threadID=239651Viccari

1 Answers

0
votes

As noted in comments, for security reasons, API Gateway can give you the impression that it is really pretty obsessive about these mysterious authentication token thingies, whatever exactly they may be.

But this was apparently done because it should be difficult for a malicious user to determine a specific reason why the request is forbidden... and, as you have discovered, this message is as potentially uninformative as it is potentially misleading. (Not necessarily a criticism, here... that's what it's for.)

What you'll probably find helpful is to go in and customize your error responses and change the default wording of each message to match its actual meaning. There are several where you'll find Missing Authentication Token in the text of the template.