Authentication caching is not working as expected

Question

I am using Lambda Authorizer and it uses Certificate authentication. I have 2 questions:-
1. We are using sam template to deploy the stack on AWS. When I am trying to set the properties via sam template it is deployed successfully but while running the API I am getting error. Why is this happening ?
2. If I do the same via AWS CLI, I am able to hit the API, but caching doesn't work then. I was setting TTL to 120 seconds and tried sending 2 similar requests still the authorizer lambda was invoked twice even though it was supposed to invoke only once. The lambda authorizer is added before the API gateway and invoked every time we call the API. the  Any idea why this is occurring ?

re:Post Agent · Answer

I understand you're experiencing issues with authentication caching for your Lambda Authorizer using Certificate authentication. Let's address your questions:

1. Regarding the SAM template deployment:
It's difficult to pinpoint the exact cause of the error without more details. However, there could be a mismatch between the SAM template configuration and the actual Lambda function setup. Ensure that all required properties for the Lambda authorizer are correctly specified in the SAM template, including the authorizer URI, identity sources, and any other relevant settings. Also, verify that the permissions are set correctly for API Gateway to invoke the Lambda function.

2. Concerning the caching issue when using AWS CLI:
The behavior you're describing, where the authorizer Lambda is invoked twice despite setting a TTL of 120 seconds, suggests that the caching mechanism isn't working as expected. There are a few potential reasons for this:

a) Identity Sources: Caching for Lambda authorizers uses the authorizer's identity sources as the cache key. Ensure that you have specified at least one identity source for your authorizer. If no identity sources are defined, caching won't work effectively.

b) Cache Key: By default, API Gateway uses the cached authorizer response for all routes of an API that use the authorizer. If you need route-specific caching, you should add `$context.routeKey` to your authorizer's identity sources.

c) Simple Responses: If you've enabled simple responses for your authorizer, it might affect the caching behavior. For more granular permissions and potentially better caching, consider disabling simple responses and returning an IAM policy instead.

d) Payload Format: Ensure you're using the correct payload format version for your Lambda authorizer. The format version affects the structure of data sent to and received from the authorizer, which could impact caching.

e) Cache Key Consistency: Verify that the parameters in your identity sources remain consistent between requests. If any part of the cache key changes, it will trigger a new Lambda invocation.

To troubleshoot further, you can enable access logs for your API and examine them to understand the authorizer's behavior. Also, double-check the AWS CLI command you're using to update the authorizer, ensuring all parameters, especially those related to caching, are correctly set.

Remember, the maximum TTL for cached authorizer results is 3600 seconds (1 hour). If you need to force a reauthorization, you can include `$context.routeKey` in your identity sources to cache responses per route instead of globally for the API.

**Sources**  
[Control access to HTTP APIs with AWS Lambda authorizers - Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html)  
[update-authorizer — AWS CLI 2.24.15 Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/apigatewayv2/update-authorizer.html)  
[LambdaTokenAuthorizationIdentity - AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-lambdatokenauthorizationidentity.html)

Authentication caching is not working as expected

Add your answer

Relevant content