AWS SAM API gateway with CORS and DefaultAuthorizer is authorizing OPTIONS requests

Question

I have an API gateway with CORS and a default authorizer, but obviously I don't want my options requests to be authorized. Luckily AWS made the attribute "AddDefaultAuthorizerToCorsPreflight" which when set to "false" should make sure that the default authorizer is not added to the generated options endpoints, the problem is that it doesn't seem to work... Here's a simplified version of my template:

Resources:
    myApiGateway:
        Type: AWS::Serverless::Api
        Properties:
            StageName: Staging
            Cors:
                AllowMethods: "'*'"
                AllowHeaders: "'*'"
                AllowOrigin: "'*'"
            Auth:
                Authorizers:
                    aadAuthorizer:
                        FunctionPayloadType: TOKEN
                        FunctionArn:
                            Fn::GetAtt:
                                - authorizerFunctionV1
                                - Arn
                DefaultAuthorizer: aadAuthorizer
                AddDefaultAuthorizerToCorsPreflight: false

I have fiddled a lot around with the template and tried to move some of the settings to Globals, but no matter what I do the result is the same.

The authorizer is applied to all my endpoints including the OPTIONS endpoints, so the browser gets a 401 when making preflight requests.

I have seen a lot of examples around 2019/2020 of people claiming that setting AddDefaultAuthorizerToCorsPreflight to false should work, but it doesn't. I'm starting to think that it's a regression.

AWS SAM API gateway with CORS and DefaultAuthorizer is authorizing OPTIONS requests

Answers (1)

Related Questions