Hey,
I've created a custom authorizer to an API Gateway, and attached it to some relevant endpoints (same authorizer for multiple endpoints).
The authorizer verifies a given JWT token against the Auth0 service.
The "Authorization Caching" was set to 5 minutes (default value), and the identitySource
was set to the be the Authorization
header, but while QAing the flow, some strange behavior occurred.
The first problem is that for the first time sending a request I get a 200 response, but for any subsequent (identical) request, I get 403 response with this message:
User is not authorized to access this resource
The second problem is that then I've tried to disable the "Authorization Caching", but it took ~24 hours to this configuration modification to take effect.
Once the Authorization Caching got disabled, every request got returned with a 200 response.
This is the policyDocument
gets returned when the user is successfully verified:
{
Version: '2012-10-17',
Statement: [{
Action: 'execute-api:Invoke',
Effect: 'Allow',
Resource: <resourceArn>,
}]
}
My questions are:
- Is it possible that the "Authorization Caching" configuration is cached?
- If so, what's the way to invalidate that?
- If not, how come that modifying the configuration doesn't affect the behavior?
- What can be the reason for the first problem where only the first request succeed any subsequent request fails?
- Is it possible that the value provided to the
identitySource
(i.e. the cached value) has a maximum characters limit?
Thanks in advance :)
ps,
if more information is needed, I'd be happy to share.