API 网关返回 401 并且不调用自定义授权方

【问题标题】:API gateway returns 401 and doesn't invoke custom authorizerAPI 网关返回 401 并且不调用自定义授权方
【发布时间】:2020-04-23 15:17:08
【问题描述】:

我已经为 API 网关实现了一个自定义的“REQUEST”类型授权器,它验证在“Authorization”标头中传递的 JWT 令牌。我已经独立测试了 lambda,它按预期工作。我还将授权人附加到我的路由中,我可以在 AWS 控制台中对其进行测试 - 再次,一切似乎都正常(见图):

successful invoke via console

但是,当我尝试使用 Authorization 标头中的令牌调用端点时,我总是收到 UNAUTHORIZED 响应:

{
  "errors": [
    {
      "category": "ClientError",
      "code": "UNAUTHORIZED",
      "detail": "Unauthorized",
      "method": "GET",
      "path": "/cases",
      "requestId": "004eb254-a926-45ad-96a5-ce3527621c81",
      "retryable": false
    }
  ]
}

根据我收集到的信息,API 网关从不调用我的授权器,因为我在其 cloudwatch 中看不到任何日志事件。我能够启用我的 API 网关的 cloudwatch 日志记录,我看到的唯一日志信息如下:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|   timestamp   |                                                                                                                             message                                                                                                                              |
|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Extended Request Id: F2v9WFfiIAMF-9w=                                                                                                                                                                                     |
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Unauthorized request: dac0d4f6-1380-4049-bcee-bf776ca78e5c                                                                                                                                                                |
| 1578275720543 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Extended Request Id: F2v9WFfiIAMF-9w=                                                                                                                                                                                     |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response type: UNAUTHORIZED with status code: 401                                                                                                                                                                 |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response body: {"errors": [{"category": "ClientError","code": "UNAUTHORIZED","detail": "Unauthorized","method": "GET","path": "/cases","requestId": "dac0d4f6-1380-4049-bcee-bf776ca78e5c","retryable": false }]} |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response headers: {}                                                                                                                                                                                              |
| 1578275720544 | (dac0d4f6-1380-4049-bcee-bf776ca78e5c) Gateway response type: UNAUTHORIZED with status code: 401                                                                                                                                                                 |
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

此时我完全卡住了,不知道如何进一步调试。我假设某些东西必须配置错误,但我能找到的日志信息没有给出任何问题的迹象。我还在下图中粘贴了我的授权人配置的副本:

Authorizer Configuration

Screenshot of one endpoint configured to use the authorizer

【问题讨论】:

  • 请发布您的授权人代码。我认为这就是问题所在。
  • @ArunK 我已将我的授权处理程序添加到帖子中,但我很困惑代码如何成为这里的问题。正如我在原始帖子中所说,当我将授权器作为 lambda 调用时以及当我从 API 网关授权器控制台对其进行测试时,授权器工作,并且当我通过 Curl 或邮递员向端点发出请求时,它永远不会被调用。
  • 您是否使用无服务器框架。我不这么认为?
  • 您是否将授权者 lambda 配置为任何 api 的授权者
  • 我正在使用无服务器框架,但我正在手动部署共享授权方,以便绕过此处的限制:serverless.com/framework/docs/providers/aws/events/apigateway/… 如果您认为相关,我可以发布 cloudformation。我已将授权方附加到我的许多端点,它们都表现出相同的行为。

标签: node.js amazon-web-services aws-lambda aws-api-gateway


【解决方案1】:

我发现了我遇到的问题: 我需要在端点的授权字段以及 CF 堆栈中设置 identitySource: method.request.header.Authorization。

原始 cloudformation 中的自定义授权者定义:

service: 
  name: api-base

frameworkVersion: ">=1.2.0 <2.0.0"

plugins:
  - serverless-plugin-optimize
  - serverless-offline
  - serverless-pseudo-parameters
  - serverless-domain-manager

custom:
  stage: ${self:provider.stage, 'dev'}
  serverless-offline:
    port: ${env:OFFLINE_PORT, '4000'}
  false: false
  cognitoStack: marley-auth
  customDomain:
    domainName: ${env:BE_HOST, ''}
    enabled: ${env:EN_CUSTOM_DOMAIN, self:custom.false}
    stage: ${self:provider.stage, 'dev'}
    createRoute53Record: true

provider:
  name: aws
  runtime: nodejs10.x
  versionFunctions: true
  apiName: public
  logs:
    restApi: true
  stackTags:
      COMMIT_SHA: ${env:COMMIT_SHA, 'NO-SHA'}
  environment:
    USER_POOL_ID: ${cf:${self:custom.cognitoStack}-${self:custom.stage}.UserPoolId}
    CLIENT_ID: ${cf:${self:custom.cognitoStack}-${self:custom.stage}.UserPoolClientId}
  timeout: 30
  iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "lambda:InvokeFunction"
    Resource: "*"

functions:
  authorizer:
    handler: handler/authorize.handler

resources:
  - Outputs:
      ApiGatewayRestApiId:
        Value:
          Ref: ApiGatewayRestApi
        Export:
          Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewayRestApiId
      ApiGatewayRestApiRootResourceId:
        Value:
          Fn::GetAtt:
            - ApiGatewayRestApi
            - RootResourceId 
        Export:
          Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewayRestApiRootResourceId
      SharedAuthorizerId:
        Value:
          Ref: SharedAuthorizer
        Export:
          Name: ${self:custom.stage}-${self:provider.apiName}-ApiGatewaySharedAuthorizerId
  - Resources:
      SharedAuthorizer:
        Type: AWS::ApiGateway::Authorizer
        Properties:
          Name: public
          AuthorizerUri: !Join 
            - ''
            - - 'arn:aws:apigateway:'
              - !Ref 'AWS::Region'
              - ':lambda:path/2015-03-31/functions/'
              - !GetAtt 
                - AuthorizerLambdaFunction
                - Arn
              - /invocations
          RestApiId: !Ref 'ApiGatewayRestApi'
          Type: REQUEST
          IdentitySource: method.request.header.Authorization
          AuthorizerResultTtlInSeconds: '300'
        DependsOn: AuthorizerLambdaFunction
      ApiAuthLambdaPermission:
        Type: AWS::Lambda::Permission
        Properties:
          Action: lambda:InvokeFunction
          FunctionName: !Ref AuthorizerLambdaFunction
          Principal: apigateway.amazonaws.com
          SourceArn: !Sub "arn:aws:execute-api:#{AWS::Region}:#{AWS::AccountId}:#{ApiGatewayRestApi}/authorizers/*"
        DependsOn: ApiGatewayRestApi

在另一个堆栈中使用授权者 - 请注意,我已在此处指定 IdentitySource 以及在授权者的定义中 - 出于某种原因,我不得不在两个地方都这样做。

authorizer:
  type: CUSTOM
  authorizerId: ${cf:api-base-${self:custom.stage}.SharedAuthorizerId}
  identitySource: method.request.header.Authorization

【讨论】:

  • 请更新此回复以非常清楚地显示您所做的更改,然后将此问题标记为“已关闭”。遇到同样问题的下一个可怜的灵魂会感谢你...
猜你喜欢
  • 2019-06-29
  • 2018-03-24
  • 2017-04-22
  • 1970-01-01
  • 1970-01-01
  • 2016-08-23
  • 1970-01-01
  • 2018-11-19
  • 2016-12-24
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode