- Newest
- Most votes
- Most comments
It seems you're experiencing issues with authentication caching for your Client Certificate Authorization in API Gateway. There are a few potential reasons why the caching might not be working as expected:
-
Identity Source Configuration: For caching to work effectively, you need to ensure that you have specified at least one identity source for your authorizer. The identity source serves as the cache key. In your case, you've tried using 'Context' in IdentitySource with the value RequestContext.Identity.ClientCert.ClientCertPem, and also Identity.ClientCert.SerialNumber. Make sure these are correctly configured and match the actual data in the request.
-
Cache Key Consistency: Verify that the parameters in your identity sources remain consistent between requests. If any part of the cache key changes, even slightly, it will trigger a new Lambda invocation. This could explain why your authorizer is being called twice within the TTL.
-
TTL Configuration: Ensure that the TTL (Time to Live) for the cached authorizer results is set correctly. The maximum TTL is 3600 seconds (1 hour). If it's set too low, it might cause frequent re-authorizations.
-
Route-specific Caching: By default, API Gateway uses the cached authorizer response for all routes of an API that use the authorizer. If you need route-specific caching, you should add $context.routeKey to your authorizer's identity sources.
-
Simple Responses: If you've enabled simple responses for your authorizer, it might affect the caching behavior. For more granular permissions and potentially better caching, consider disabling simple responses and returning an IAM policy instead.
To troubleshoot further:
- Double-check all authorizer settings, especially those related to caching.
- Enable access logs for your API and examine them to understand the authorizer's behavior.
- Verify that the client is sending consistent certificate information in subsequent requests.
If the issue persists after checking these points, you may need to review your Lambda authorizer implementation to ensure it's handling the certificate information consistently and returning appropriate responses for caching.
Sources
Authentication caching is not working as expected | AWS re:Post
Control access to HTTP APIs with AWS Lambda authorizers - Amazon API Gateway
Authorizer - Amazon API Gateway
By analysing the question I understand that you're experiencing an issue where the authorizer Lambda is being invoked twice within the TTL (Time to Live) period, despite having caching enabled. Lambda can be invoked twice due to any of the following reason:
-
Verify that the TTL is set correctly in your API Gateway stage settings because A value of 0 or a very low value might cause frequent re-authorisations.
-
API Gateway caches the policy document returned by the authorizer, not the entire authorization context. Ensure your Lambda function is returning a consistent policy for the same client certificate.
-
Kindly check If your API is deployed across multiple availability zones or regions, each instance might have its own cache. This could lead to multiple authoriser invocations.
-
Check if there's any cache invalidation happening, either manually or through some automated process.
-
Also, If you're using stage variables in your authoriser configuration, changes to these variables can cause cache misses.
-
Moreover make sure you're using a consistent and unique identifier for the caching key. The 'Context' key in the IdentitySource should be a value that remains constant for the same client certificate. The ClientCertPem might be too long or variable. Try using a more concise identifier like:
Certificate's Serial Number (as you mentioned), Certificate's Subject DN (Distinguished Name), A hash of the certificate
Relevant content
- asked a year ago
