API Gateway Custom Authorizer: Control error message and code

In case it helps someone:

CA = custom authorizer

• error code: AWS doesn't fully allow a CA implementation to dictate the error code sent back to caller.
  • If the CA returns an Auth Policy which does not have resource/method that was invoked in one of the statements with action Allow, then user gets a 403 with something like "Not authorized to access resource"
  • If the CA returns an Auth Policy which has statements with action Deny that contains resource/method that was invoked, then user gets a 403 with something like "access denied explicitly with a Deny"
  • If the Exception raised by CA has message "Unauthorized" then user gets 401 with message "Unauthorized".
  • If CA throws an exception with any other message then user gets HTTP-500 internal server error (Authorizer Configuration Error) and call is rejected/not-authorized.
• error message: Only static control is allowed via Body Mapping Template in Gateway Responses.
  • E.g. you can update the Body Mapping Template for "Unauthorized [401]" in "Gateway Responses" to say "My service doesn't like you for some unknown reason" and then whenever CA throws "Unauthorized" exception the end user gets HTTP 401 with "My service doesn't like you for some unknown reason".
  • Similarly you can also update "Access Denied [403]" or "Authorizer Configuration Error [500]". But the message is static and can not be controlled from CA implementation.
  • It is NOT possible to have different 401 messages like:
  • 401: Unauthorized due to expired token.
  • 401: Unauthorized due to missing scope.

Other unrelated thing: Because the CA throws an exception in certain conditions to convey auth failure, from a metric point of view this increments the Lambda ErrorCount metric. So that metric isn't reliable to identify "application errors".