Clarity on identitySource and authorization header in authorizers

[jonlinkens]

I'm upgrading from v8.4.0 to 13.3.3 and have started running into this error:

✖ Identity Source is null for header authorization (λ: authorizer)

my config looks something like this:

custom:
  authorizers:
    myAuthorizer:
      name: myAuthorizer
      type: 'request'
      resultTtlInSeconds: 600
      identitySource: method.request.header.access-key

Looking through the source code, this error originates from here:

serverless-offline/src/events/http/createAuthScheme.js

Lines 90 to 95 in c85a192

	let finalAuthorization
	if (identitySourceType !== IDENTITY_SOURCE_TYPE_NONE) {
	if (authorization === undefined) {
	log.error(
	`Identity Source is null for ${identitySourceType} ${identitySourceField} (λ: ${authFunName})`,
	)

Looking further up in the file, it seems that the header name is enforced as authorization. I'm using a JWT header that is named something else and can't be easily changed, so this is problematic. What's the reasoning behind enforcing this? If it's to comply with standards it might be nice to allow people to bail out for the sake of backwards compatibility.

It also seems like the identitySource config is ignored here - am I misunderstanding its usage?

As a workaround, if I set an authorization header with any string value, everything works fine - but I would prefer to avoid this.

Previously in v8.4.0 this wasn't a problem, because this header check would only happen if the type wasn't request:

serverless-offline/src/events/http/createAuthScheme.js

Lines 98 to 99 in 5df70c8

	} else {
	const authorization = req.headers[identityHeader]

Appreciate any help here, thanks! 😄