Incorrect failure mechanism from aws-python-auth0-custom-authorizers-api

[edeca]

I used the aws-python-auth0-custom-authorizers-api example as the basis for a lambda function.

The AWS documentation says this about the expected return from an authorizer:

A Lambda authorizer function's output must include the principal identifier (principalId) and a policy document (policyDocument) containing a list of policy statements.

In the AWS example Python authorizer it details how to handle failure:

you can send a 401 Unauthorized response to the client by failing like so:
raise Exception('Unauthorized')

In a few places the example returns create_401_response(), which returns status_code, headers and body.

When debugging my custom code this seems to cause an AuthorizerConfigurationException, as seen in the HTTP response headers:

x-amzn-errortype: AuthorizerConfigurationException
x-cache: Error from cloudfront

Using the API Gateway authorizer tester I get a few more debugging messages:

Mon Oct 08 21:43:07 UTC 2018 : Execution failed due to configuration error: Invalid JSON in response: {"statusCode": 401, "headers": {"Access-Control-Allow-Origin": "*", "Access-Control-Allow-Credentials": true}, "body": "\"Unauthorized\""}
Mon Oct 08 21:43:07 UTC 2018 : AuthorizerConfigurationException

So I think the options should be:

• For invalid authentication, raise Exception('Unauthorized')
• For valid users with no access (e.g. RBAC), return generate_policy(None, 'Deny', event['methodArn'])
• For valid users with permissions, return an allow policy.