I have a SAM template that defines the following API:
MyApi:
Type: AWS::Serverless::HttpApi
Properties:
FailOnWarnings: true # <--- it succeeds without this
Auth:
Authorizers:
AppleSignIn:
JwtConfiguration:
audience:
- com.domain.MyApp
issuer: "https://appleid.apple.com"
IdentitySource: "$request.header.Authorization"
When I run this with FailOnWarnings:true, I get this warning (which is treated as an error):
Resource handler returned message: Warnings found during import: Unable to create Authorizer 'AppleSignIn': Caught exception when connecting to https://appleid.apple.com/.well-known/openid-configuration for issuer https://appleid.apple.com. Please try again later. Error: Invalid issuer: https://appleid.apple.com. Issuer must have a valid discovery endpoint ended with '/.well-known/openid-configuration'. Ignoring.
(Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: 409removed8b6; Proxy: null) (Service: null; Status Code: 404; Error Code: BadRequestException; Request ID: null; Proxy: null) (RequestToken: 43fremoved3b9, HandlerErrorCode: GeneralServiceException)
However, as far as I can tell, https://appleid.apple.com/.well-known/openid-configuration is available and valid -- not sure why it would fail with 400 or 404. If I remove FailOnWarnings, it can deploy and the authorizer works, but I prefer to keep it strict.
