You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I cannot connect to /user-profile after setting up my custom authorizer. All requests from browser or curl result in 401 HTTP failure. API Gateway logs are not verbose enough to diagnose the issue. I've disabled caching and have tweaked parts of the config to see if I can get the request through but have not had any luck.
Oddly, testing the custom authorizer directly through the AWS console test tool works. In this case, the custom-authorizer is invoked and the request is authorized. However, on requests from browsers or cURL, the custom-authorizer lambda is never invoked (as per my checking the logs).
Would appreciate some help on this. Has been a big blocker for moving forward in this book. Here's a thread on the aws forums discussing the issue, but no solution has been posted: https://forums.aws.amazon.com/thread.jspa?threadID=264196.
Browser OPTIONS request (succeeds)
-General-
Request URL:https://0x24uh9sqk.execute-api.us-east-1.amazonaws.com/dev/user-profile
Request Method:OPTIONS
Status Code:200
Remote Address:13.33.74.102:443
Referrer Policy:no-referrer-when-downgrade
-Response Headers-
access-control-allow-headers:Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
access-control-allow-methods:GET,OPTIONS
access-control-allow-origin:*
content-length:0
content-type:application/json
date:Wed, 07 Mar 2018 16:09:03 GMT
status:200
via:1.1 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront)
x-amz-cf-id:ts3K2BoHctXUz_sjCNvWa-dmqjPclPio4XoqkNam-ynxGAIQu5LtMA==
x-amzn-requestid:db18a291-2221-11e8-bc27-f7bd3aa6dba6
x-cache:Miss from cloudfront
-Request Headers-
:authority:0x24uh9sqk.execute-api.us-east-1.amazonaws.com
:method:OPTIONS
:path:/dev/user-profile
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, br
accept-language:en
access-control-request-headers:authorization
access-control-request-method:GET
origin:http://127.0.0.1:8100
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Browser GET request (fails 401)
-General-
Request URL:https://0x24uh9sqk.execute-api.us-east-1.amazonaws.com/dev/user-profile
Request Method:GET
Status Code:401
Remote Address:13.33.74.102:443
Referrer Policy:no-referrer-when-downgrade
-Response Headers-
content-length:26
content-type:application/json
date:Wed, 07 Mar 2018 16:09:04 GMT
status:401
via:1.1 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront)
x-amz-cf-id:hqwVmcSV4AIzqEVAWtKkzBMX1PoflDjtTrw25BjzAoCoIlodr_QAgQ==
x-amzn-errortype:UnauthorizedException
x-amzn-requestid:db1c7368-2221-11e8-824f-8ba7016060e7
x-cache:Error from cloudfront
-Request Headers-
:authority:0x24uh9sqk.execute-api.us-east-1.amazonaws.com
:method:GET
:path:/dev/user-profile
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, br
accept-language:en
authorization:Bearer ***mUuZ
origin:http://127.0.0.1:8100
referer:http://127.0.0.1:8100/
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Execution log for request test-request
Wed Mar 07 16:09:34 UTC 2018 : Starting authorizer: pylynn for request: test-request
Wed Mar 07 16:09:34 UTC 2018 : Incoming identitycQmUuZ
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request URI: https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:550212734867:function:custom-authorizer/invocations
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request headers: {x-amzn-lambda-integration-tag=test-request, Authorization=*******************************************************************************************************************************************************************************************************************************************************************************************************a1ca47, X-Amz-Date=20180307T160934Z, x-amzn-apigateway-api-id=0x24uh9sqk, Accept=application/json, User-Agent=AmazonAPIGateway_0x24uh9sqk, X-Amz-Security-Token=AgoGb3JpZ2luEJz//////////wEaCXVzLWVhc3QtMSKAAgVCzhSjc2yH1LAC67+VR4mSHlNUTmV4z3f6Qr7A5hbVGMRWtZPkB3/XyipQm/YSGgcvQA/gwaBr029TbREln3wpmIKjws4pj7N40XHfyhb+5erPbj3NzPmKv4B0EcaukgqebsdszNonVHJaY8xg3AvlQE5Y3gJJuGF/pj2ECBrgK6MI0v1TcOPyCXayH7VSiPXKyTtmGW6cPna3O0AF1uXmc7tNI+NpjIR//o3ZThPLVbvij/LpBLhx0gUh5/+vxrvvywRxIg9BqioBRKHBbJh2JWIueAXxgc4GNrhTVASjqH3vYKVg+UhK9iF+2PJ5trc1Z2J0419Anz4+egm6DC8qiQIIkf//////////ARAAGgw1NTAyMTI3MzQ4NjciDE+/m0P+MlN38lC14yrdAeOd2iAef+mb+2M0MfdVDwfCzr2AClG6U8MK [TRUNCATED]
Wed Mar 07 16:09:34 UTC 2018 : Endpoint request body after transformations: {"type":"TOKEN","methodArn":"arn:aws:execute-api:us-east-1:550212734867:0x24uh9sqk/null/GET/","authorizationToken":"Bearer ****mUuZ"}
Wed Mar 07 16:09:34 UTC 2018 : Sending request to https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:550212734867:function:custom-authorizer/invocations
Wed Mar 07 16:09:35 UTC 2018 : Authorizer result body before parsing: {"principalId":"user","policyDocument":{"Version":"2012-10-17","Statement":[{"Action":"execute-api:Invoke","Effect":"allow","Resource":"arn:aws:execute-api:us-east-1:550212734867:0x24uh9sqk/null/GET/"}]}}
Wed Mar 07 16:09:35 UTC 2018 : Using valid authorizer policy for principal: **er
Wed Mar 07 16:09:35 UTC 2018 : Successfully completed authorizer execution
Logs from the browser requests:
Cloudwatch API Gateway OPTIONS log
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Verifying Usage Plan for request: db18a291-2221-11e8-bc27-f7bd3aa6dba6. API Key: API Stage: 0x24uh9sqk/dev
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) API Key authorized because method 'OPTIONS /user-profile' does not require API Key. Request will not contribute to throttle or quota limits
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Usage Plan check succeeded for API Key and API Stage 0x24uh9sqk/dev
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Starting execution for request: db18a291-2221-11e8-bc27-f7bd3aa6dba6
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) HTTP Method: OPTIONS, Resource Path: /user-profile
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request path:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request query string:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request headers: {Accept=*/*, CloudFront-Viewer-Country=US, CloudFront-Forwarded-Proto=https, CloudFront-Is-Tablet-Viewer=false, origin=http://127.0.0.1:8100, CloudFront-Is-Mobile-Viewer=false, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36, X-Forwarded-Proto=https, CloudFront-Is-SmartTV-Viewer=false, Host=0x24uh9sqk.execute-api.us-east-1.amazonaws.com, Accept-Encoding=gzip, deflate, br, access-control-request-method=GET, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-5aa00e9f-ecf807d2e914908483ef1fc2, Via=2.0 bc6981f82440e44448ee5dd3577bf4f4.cloudfront.net (CloudFront), access-control-request-headers=authorization, X-Amz-Cf-Id=UwM4w5MyClZq-A1OG2eVO2zZl7vIWycdi9Oczf642w5TryQLNmP08A==, X-Forwarded-For=173.56.28.23, 52.46.46.89, Accept-Language=en, CloudFront-Is-Desktop-Viewer=true}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method request body before transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Received response. Integration latency: 0 ms
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Endpoint response body before transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Endpoint response headers:
{}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method response body after transformations:
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method response headers: {Access-Control-Allow-Origin=*, Access-Control-Allow-Methods=GET,OPTIONS, Access-Control-Allow-Headers=Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token, Content-Type=application/json}
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Successfully completed execution
(db18a291-2221-11e8-bc27-f7bd3aa6dba6) Method completed with status: 200
I cannot connect to /user-profile after setting up my custom authorizer. All requests from browser or curl result in 401 HTTP failure. API Gateway logs are not verbose enough to diagnose the issue. I've disabled caching and have tweaked parts of the config to see if I can get the request through but have not had any luck.
Oddly, testing the custom authorizer directly through the AWS console test tool works. In this case, the custom-authorizer is invoked and the request is authorized. However, on requests from browsers or cURL, the custom-authorizer lambda is never invoked (as per my checking the logs).
Would appreciate some help on this. Has been a big blocker for moving forward in this book. Here's a thread on the aws forums discussing the issue, but no solution has been posted: https://forums.aws.amazon.com/thread.jspa?threadID=264196.
Browser OPTIONS request (succeeds)
Browser GET request (fails 401)
AWS test authorizer (policy)
AWS test authorizer (log)
Logs from the browser requests:
Cloudwatch API Gateway OPTIONS log
Cloudwatch API Gateway GET log
The text was updated successfully, but these errors were encountered: