[英]API Gateway Custom Authorizer: Control error message and code
I have a custom authorizer for my Gateway API. 我的Gateway API有自定义授权器。 I've read many articles on how to customize the error message and code returned to end user when on authentication or authorization errors.
我已经阅读了许多关于如何在验证或授权错误时自定义错误消息和返回给最终用户的代码的文章。 This one seemed the most useful .
这个似乎最有用 。
Problem is the API Gateway doesn't behave as documented. 问题是API网关的行为与记录不符。
My custom authorizer implementation (python): 我的自定义授权器实现(python):
def lambda_handler(event, context):
raise Exception('the sky is falling!')
When I call the API using curl: 当我使用curl调用API时:
kash@Laptop$ date; curl -i -X GET -H "Authorization: Bearer 1234abcd`date +%s`" https://xxxx.execute-api.us-west-2.amazonaws.com/prod/ticket
Mon Jun 4 12:27:51 CDT 2018
HTTP/1.1 500 Internal Server Error
Date: Mon, 04 Jun 2018 17:27:53 GMT
Content-Type: application/json
Content-Length: 16
Connection: keep-alive
x-amzn-RequestId: 9cc6d7ce-681c-xxxx-8a4a-23a7616ba4a5
x-amzn-ErrorType: AuthorizerConfigurationException
x-amz-apigw-id: xxxx=
{"message":null}
kash@Laptop$
How do I make it return HTTP 4xx with {"message": "the sky is falling!"}
? 如何让它返回带有
{"message": "the sky is falling!"}
HTTP 4xx {"message": "the sky is falling!"}
?
For debugging: I went to Gateway Responses under my API and updated the "Body Mapping Templates" for "Authorizer Configuration Error (500)" from this: 为了调试:我在我的API下进入了网关响应并更新了“主机映射模板”中的“授权器配置错误(500)”:
{"message":$context.error.messageString}
to this: 对此:
{
"errorMessage":"$errorMessage",
"messageString":"$messageString",
"context.errorMessage":"$context.errorMessage",
"context.messageString":"$context.messageString",
"context.error.errorMessage":"$context.error.errorMessage",
"context.error.messageString":"$context.error.messageString",
"context.authorizer.error.errorMessage":"$context.authorizer.error.errorMessage"
"context.authorizer.error.errorMessage":"$context.authorizer.error.errorMessage"
"context.authorizer.errorMessage":"$context.authorizer.errorMessage"
"context.authorizer.messageString":"$context.authorizer.messageString"
"type": "$context.error.responseType",
"statusCode": "'404'",
"stage": "$context.stage",
"resourcePath": "$context.resourcePath",
"stageVariables.a": "$stageVariables.a",
"context.apiId": "$context.apiId",
"context.authorizer.claims.property": "$context.authorizer.claims.property",
"context.authorizer.principalId": "$context.authorizer.principalId",
"context.authorizer.property": "$context.authorizer.property",
"context.httpMethod": "$context.httpMethod",
"context.error.message": "$context.error.message",
"context.error.messageString": "$context.error.messageString",
"context.error.responseType": "$context.error.responseType",
"context.extendedRequestId": "$context.extendedRequestId",
"context.identity.accountId": "$context.identity.accountId",
"context.identity.apiKey": "$context.identity.apiKey",
"context.identity.apiKeyId": "$context.identity.apiKeyId",
"context.identity.caller": "$context.identity.caller",
"context.identity.cognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider",
"context.identity.cognitoAuthenticationType": "$context.identity.cognitoAuthenticationType",
"context.identity.cognitoIdentityId": "$context.identity.cognitoIdentityId",
"context.identity.cognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId",
"context.identity.sourceIp": "$context.identity.sourceIp",
"context.identity.user": "$context.identity.user",
"context.identity.userAgent": "$context.identity.userAgent",
"context.identity.userArn": "$context.identity.userArn",
"context.integrationLatency": "$context.integrationLatency",
"context.path": "$context.path",
"context.protocol": "$context.protocol",
"context.requestId": "$context.requestId",
"context.requestTime": "$context.requestTime",
"context.requestTimeEpoch": "$context.requestTimeEpoch",
"context.resourceId": "$context.resourceId",
"context.resourcePath": "$context.resourcePath",
"context.responseLength": "$context.responseLength",
"context.responseLatency": "$context.responseLatency",
"context.status": "$context.status",
"context.stage": "$context.stage"
}
and the response is: 并且响应是:
{
"errorMessage":"",
"messageString":"",
"context.errorMessage":"",
"context.messageString":"",
"context.error.errorMessage":"",
"context.error.messageString":"null",
"context.authorizer.error.errorMessage":""
"context.authorizer.error.errorMessage":""
"context.authorizer.errorMessage":""
"context.authorizer.messageString":""
"type": "AUTHORIZER_CONFIGURATION_ERROR",
"statusCode": "'404'",
"stage": "prod",
"resourcePath": "/ticket",
"stageVariables.a": "",
"context.apiId": "xxxx",
"context.authorizer.claims.property": "",
"context.authorizer.principalId": "",
"context.authorizer.property": "",
"context.httpMethod": "GET",
"context.error.message": "",
"context.error.messageString": "null",
"context.error.responseType": "AUTHORIZER_CONFIGURATION_ERROR",
"context.extendedRequestId": "xxxx=",
"context.identity.accountId": "",
"context.identity.apiKey": "",
"context.identity.apiKeyId": "",
"context.identity.caller": "",
"context.identity.cognitoAuthenticationProvider": "",
"context.identity.cognitoAuthenticationType": "",
"context.identity.cognitoIdentityId": "",
"context.identity.cognitoIdentityPoolId": "",
"context.identity.sourceIp": "xxx.244.xxx.2",
"context.identity.user": "",
"context.identity.userAgent": "curl/7.47.0",
"context.identity.userArn": "",
"context.integrationLatency": "",
"context.path": "/prod/ticket",
"context.protocol": "HTTP/1.1",
"context.requestId": "57e2462d-681c-xxxx-7dd93186dc68",
"context.requestTime": "04/Jun/2018:17:25:57 +0000",
"context.requestTimeEpoch": "1528133157762",
"context.resourceId": "pz9fb8",
"context.resourcePath": "/ticket",
"context.responseLength": "",
"context.responseLatency": "",
"context.status": "",
"context.stage": "prod"
}
I've read: 我读了:
and some more on AWS forums. 还有一些在AWS论坛上。
In case it helps someone: 万一它可以帮助某人:
CA = custom authorizer CA =自定义授权程序
Other unrelated thing: Because the CA throws an exception in certain conditions to convey auth failure, from a metric point of view this increments the Lambda ErrorCount metric. 其他无关的事情:因为CA在某些条件下抛出异常来传递auth失败,从度量的角度来看,这会增加Lambda ErrorCount度量。 So that metric isn't reliable to identify "application errors".
因此,该指标对于识别“应用程序错误”是不可靠的。
the mapping of authorizer and gateway response is done through 授权者和网关响应的映射是通过完成的
https://docs.aws.amazon.com/apigateway/latest/developerguide/supported-gateway-response-types.html https://docs.aws.amazon.com/apigateway/latest/developerguide/supported-gateway-response-types.html
you can change the return status code there to customize the status code. 您可以在那里更改返回状态代码以自定义状态代码。
As to error message, i just tried adding a field to my context output by authorizer, as documented here, https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html 至于错误消息,我只是尝试通过授权器向我的上下文输出添加一个字段,如此处所述, https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output。 HTML
and referring to that field in my template mapping for access_denied as $context.authorizer.myErrorMsg 并在我的模板映射中引用access_denied为$ context.authorizer.myErrorMsg的字段
and it works if my authorizer outputs a deny policy document. 如果我的授权人输出拒绝政策文件,它就有效。
Hope it helps 希望能帮助到你
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.