'AWS API Gateway custom Authorizer strange showing error

Here is the context:

  • I set up a resource in the API gateway. /user/company
  • This resource have 2 methods. Get and POST.
  • I have configured a custom Authorizer for this resource.

The problem:

  • I can call the GET method by sending right authorization information and I get the results as expected.
  • I try to send a POST request and I get the following error:

{
  "message": "User is not authorized to access this resource"
}
  • If I wait for few minutes, then call the POST method, it will work.
  • If after calling the POST method and getting the results I call GET method, it will show the same error as mentioned above.

In addition, I have disabled cache for the authorizer.

enter image description here

What might have caused this issue?

aws-api-gatewaycustom-authentication


Solution 1:[1]

This could be fixed in two ways that are described in buggy's answer: https://forum.serverless.com/t/rest-api-with-custom-authorizer-how-are-you-dealing-with-authorization-and-policy-cache/3310

Short version:

  1. Set custom authorizer policy resource as "*"
  2. Or (if you are ok with no caching) set TTL for custom authorizer to 0

See the answer by Michael for more details

Solution 2:[2]

This error will occur if you use event.methodArn as a resource for generated policy and share an authorizer between different functions, because of how policy caching works. For provided token it caches a policy across an entire API, it will be the same cache entry for all methods and resources within the same API and stage (if they share the same authorizer).

For example, when making a request to GET /users, ARN will look something like this:

arn:aws:execute-api:us-1:abc:123/prod/GET/users

Next call to any endpoint with the same authentication token will use a cached policy, which was created on the first call to GET /users. The problem with that cached policy is that it's resource only allows a single particular resource arn: ... /prod/GET/users, any other resource will be rejected.

Depending on how much do you want to limit policy permissions, you can either mention every possible resource when creating a policy

{
  "principalId": "user",
  "policyDocument": {
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Allow",
        "Resource": [
          "arn:aws:execute-api:us-1:abc:123/prod/GET/v1/users",
          "arn:aws:execute-api:us-1:abc:123/prod/POST/v1/users",
          "arn:aws:execute-api:us-1:abc:123/prod/GET/v1/orders"
        ]
      }
    ],
    "Version": "2012-10-17"
  }
}

or use wildcards

"Resource": "arn:aws:execute-api:us-1:abc:123/prod/*/v?/*"

or even

"Resource": "*"

You can use policy variables for some advanced templates.

It is also possible to use a blacklist approach by allowing everything using wildcards and then denying specific resources in another policy statement.

Sources:

Solution 3:[3]

In the your custom policy build code use, the node js module aws-auth-policy The Nodejs part you can use ,

AuthPolicy.prototype.allowAllMethods = function () {
  addMethod.call(this, "allow", "*", "*", null);
}

In the code 

const AuthPolicy = require('aws-auth-policy');
  const policy = new AuthPolicy(principalId, awsAccountId, apiOptions);
           // policy.allowMethod(method, resource);
            policy.allowAllMethods();
            const authResponse = policy.build();

Solution 4:[4]

Thanks @Orest for the answer! To set a wildcard on policy resource in the Auth0 custom authorizer, go to lib.js line 57 and change:

.then((decoded)=> ({
        principalId: decoded.sub,
        policyDocument: getPolicyDocument('Allow', params.methodArn),
        context: { scope: decoded.scope }
    }));

by

.then((decoded)=> ({
        principalId: decoded.sub,
        policyDocument: getPolicyDocument('Allow', "*"),
        context: { scope: decoded.scope }
    }));

I hope it will help some...

Solution 5:[5]

I fixed this by setting the AuthorizerResultTtlInSeconds to 0.

The reason for this is that I was using a shared authorizer. However the authorizer worked by reading the event context of the request and granting an IAM to then invoke a specific lambda.

Because the authorizer was shared it was caching the response which was an IAM for a specific lambda for the TTL of (in my case) 300 seconds.

Therefore, I could call one API one minute, then not the next.

Changing the value above to 0 fixed the issue.

Solution 6:[6]

I was facing the same 'User is not authorized to access this resource' my mistake was I did not provided the OAuth Scopes in the Authorizer of my api gateway

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Eran Medan
Solution 2 Michael Radionov
Solution 3 Subrata Fouzdar
Solution 4 DoubleMiP
Solution 5 Remotec
Solution 6 Himanshi

Related Questions

Using an API key in Amazon API Gateway

Does AWS API Gateway private integration with ALB works with ALB https listener

Terraform: How to create API Gateway endpoints and methods from a list of objects?

How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?

AWS API Gateway with proxy Lambda: Invalid permissions on Lambda function

AWS lambda api gateway error "Malformed Lambda proxy response"

How can I create route path in terraform for AWS apigateway version2?

How to enable Cloudwatch logging for AWS API GW via Cloudformation template

SerializationException:Start of structure or map found where not expected: API Gateway to Step function

AWS API gateway response body template mapping (foreach)

Defining URL Query String Parameters in AWS::Serverless::Api SAM template

AWS User is not authorized to access this resource

convert javascript code to bookmarklet for easy access

AWS API Gateway path based routing to private integrations

Identify Google signed in user in AWS Lambda invoked by API Gateway