- Newest
- Most votes
- Most comments
Yes. At the end of the example authorizer in the docs (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html), there is way to output optional data. Updating with your values, it would be something like this:
// Optional output with custom properties of the String, Number or Boolean type.
authResponse.context = {
"errorCode": "xyz_12#",
"errorType": "Constraint error",
"errorMessage": "Need permisssion to perform this action"
};
In the body mapping template, you'd access these as follows:
{"errorCode":"$context.authorizer.context.errorCode", "errorType": "$context.authorizer.context.errorCode"}
The one caveat here is that you can't specify the HTTP error code. The authorizer has to generate a 'Deny' policy which then results in an HTTP 403.
More discussion is available here: https://stackoverflow.com/questions/47921803
There are 4 response options when using a custom authorizer:
- 200 - Function returned a valid allow policy
- 401 "Unauthorized" - Function threw an error
- 403 "Access Denied" - Function returned a valid Deny policy
- 500 - Anything other than the above was returned
The intuition when throwing an error is that the response message would be the body that is provided in the error like so: throw new Error("My unauthorized message");
however, the error response from the lambda authorizer will always return { "message": "Unauthorized"}
from the API Gateway regardless of what message is provided.
The only way to provide a custom message is to provide it in the authorizer context of the deny policy and then replace the default 403 message with the message from the authorizer context using a response mapping template.
Step 1: Update the function to return a deny policy with custom message
Example JavaScript code:
return {
"principalId": "yyyyyyyy", // The principal user identification associated with the token sent by the client.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:ca-central-1:123465607:deployid/*/GET/*" //the arn of your endpoints you want to deny access to
}
]
},
"context": {
"errorMessage": "YOUR CUSTOM MESSAGE"
}
}
Step 2: Add a response mapping template to map the "Access Denied" response custom message. You could also change the response code to 401 from 403 at this point if that is more appropriate
{"message":$context.error.messageString}
Step 3: Deploy the API
Step 4: Test the API by triggering an action that returns the deny policy with the custom error message. Verify that it returns the 401 response code with the correct message
Also, in the AWS Console, you can use the "Authorizers" section of the API Gateway to test your authorizer. If configured as described above, the authorizer test will return a 200 response with the deny policy. That 200 response is mapped to a 403 if the policy effect is deny or allows access to the function if the policy effect is allow.
Relevant content
- asked 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago
I have tried evrything and nothing works for me. I want to customize the error mesage in the lambda authorizer if the token is expired or malformed. Followed this post as well https://stackoverflow.com/questions/47921803 . This is the main problem
Another wierd problem i am facing is that the callback with custom errors also does not work in simple lambda calls. I am really tired of this. can someone please guide how to resolve. It gives me InvokeError. secondary
callback("unauthorized"); // not working return callback(new Error("JSON.stringify(myErrorObj)")); // not working
This seems to only apply for the API Gateway V1 (REST) not for the V2 (HTTP) API Gateway. I really need something like this for the V2 API Gateway and a custom authorizer
Should the mapping template be the following?