API Gateway Options method throwing 403

Asked 18/1, 2019 at 21:26 Answered 20/5, 2020 at 20:36

amazon-web-services aws-lambda aws-api-gateway aws-sam

I have a Custom Authorizer with API Gateway. When deployed through SAM Module it also creates Options Method when you enable CORS. The thing I really don't understand is why the custom authorizer gets attached to Options endpoint?

This is throwing 403 when I try to call the endpoint from browser and works perfectly fine when I remove Authorization from the Options method.

Below is the template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Globals:
  Function:
    Runtime: nodejs8.10
  Api:
    Cors:
      AllowMethods: "'*'"
      AllowHeaders: "'*'"
      AllowOrigin: "'*'"

Resources:
  TestApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: dev
      Auth:
        DefaultAuthorizer: testAuthoriser
        Authorizers:
          testAuthoriser:
            FunctionArn:
              Fn::ImportValue: !Sub test-custom-autoriser
            Identity:
              Header: Authorization
              ValidationExpression: ^Bearer [-0-9a-zA-Z\._]*$
              ReauthorizeEvery: 30 

  Version:
    Type: 'AWS::Serverless::Function'
    Properties:
      FunctionName: test
      CodeUri: src/test
      Handler: index.test
      Events:
        EndPoint:
          Type: Api
          Properties:
            RestApiId: !Ref TestApi
            Path: /test
            Method: get
            Auth:
              Authorizer: testAuthoriser

I have enabled the 'Access-Control-Allow-Origin': '*' in header as well. Not sure what's going on here. Any help would be appreciated

Balfour answered 18/1, 2019 at 21:26 Comment(1)

hey did you manage to figure out how to remove the authorizer from the Options method? – Moffat 20/5, 2020 at 20:20

Here's the answer, see the aws sam issue here

 Api:
    Cors:
      AllowHeaders: "'Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization'" 
      AllowOrigin: "'*'"
    Auth:
      DefaultAuthorizer: CognitoAuthorizer
      Authorizers:
        CognitoAuthorizer:
          UserPoolArn: yourUserPool
      AddDefaultAuthorizerToCorsPreflight: False // <== this line

Moffat answered 20/5, 2020 at 20:36 Comment(1)

This is the correct answer. If you're setting a DefaultAuthorizer and are also using the Cors property, then the OPTIONS method of the API for Cors Preflight will be using that default authorizer. You probably don't want this since your browser likely won't properly handle authorization for those calls to OPTIONS. See the AWS SAM documentation on this topic. – Cocteau 8/12, 2020 at 19:47

For CORS, AWS API Gateway will always enable OPTIONS method to allow preflight test. You can read more on that in the docs.

The reason you are seeing preflight error in your browser because 403 Forbidden is coming from your Custom Authorizer. Custom Authorizer do not return headers so you will always see preflight error if request is rejected by Custom Authorzer.

To debug this, log the Policy your Custom Authorizer is returning. You can then see that in CloudWatch. Policy must contain Allow statement for the Resource being requested.

Curitiba answered 18/1, 2019 at 22:7 Comment(4)

Policy does contain the Allow statement -

{   "principalId": "",   "policyDocument": {     "Version": "2012-10-17",     "Statement": [       {         "Action": "execute-api:Invoke",         "Effect": "Allow",         "Resource": "arn:RemaingArn"       }     ]   },   "context": {     "scope": "aws.cognito.signin.user.admin"   } }

As mentioned if authorization removed off the OPTIONS everything work as expected – Balfour 18/1, 2019 at 22:35

I would suggest populate principalId with userId. Also not sure why context is there in the policy as it does not serve any purpose from custom authorizer point of view. Try remove it. Finally ensure RemainArn do match with the actual resource. You can try with wildcard just for test arn:aws:execute-api:*:*:* – Curitiba 18/1, 2019 at 22:51

I tried the above suggestion but the same problem. I believe its API Gateway causing the issue. – Balfour 19/1, 2019 at 2:15

Similar to this one https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer – Balfour 19/1, 2019 at 19:15

Recommended topics

Hot tags