When will AppSync Lambda authorization stop requiring an Authorization header?

Hello Frank,

Thank you for posting on AWS re:Post forum. My name is Tom.

Upon further research, I see that, as of now, AppSync still requires "Authorization" header to be included when requests are passed in to the Lambda authorizer function. Further reading on the posted article, I can see that the authorization header is still necessary as it is used for caching response from Lambda function.

"When using custom authorizers, developers can continue to use the AppSync functionality that allows them to cache the response from their Lambda function based on the value of the authorization header."

To ensure AppSync caches authorization response correctly, your application may fill the Authorization Header to the same value as the application request headers, if the Lambda authorizer is making authorization decisions based only on application request headers' value.

I can see the benefits of omitting Authorization Headers under situations where Application Request Headers suffice for authorization purpose. I have informed AppSync service team for such feature request. With that said, omitting Authorization Headers through AppSync configuration requires rigorous testing and troubleshooting from AppSync service team to ensure compatibility and security, and therefore, we are not able to provide a definitive timeline on when such feature will be brought available.

I hope the above information is helpful. Thank you for posting on AWS re:Post forum and offering suggestions to make AppSync better. Have a nice day!