Why is authentication working locally but not when deployed to lambda in a container?

[Mike-Gilge]

I have an AWS Lambda function running a .net web api. I have JWT auth working via Cognito locally but when its deployed as a container to AWS its returning a 200 response and the correct content for secured endpoints even with no token passed in. I have tried all the things I can think of and im at a loss. What do folks know or suggest about this? here is my Dockerfile for good measure:

# Build Stage
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src

# Step 1: Copy the project file and restore dependencies
COPY CloudWayfinder.CloudWayfinderApi.csproj ./
RUN echo "Step 1: Restoring dependencies..." \
    && ls -la /src \
    && dotnet restore "CloudWayfinder.CloudWayfinderApi.csproj"

# Step 2: Copy the rest of the application and build
COPY . ./
RUN echo "Step 2: Building application..." \
    && dotnet build "CloudWayfinder.CloudWayfinderApi.csproj" --configuration Release --output /app/build

# Publish Stage
FROM build AS publish
RUN echo "Step 3: Publishing application..." \
    && dotnet publish "CloudWayfinder.CloudWayfinderApi.csproj" \
        --configuration Release \
        --runtime linux-x64 \
        --self-contained false \
        --output /app/publish \
        -p:PublishReadyToRun=true || (echo "dotnet publish failed!" && exit 1)

# Runtime Stage
FROM public.ecr.aws/lambda/dotnet:8 AS final
WORKDIR /var/task

# Copy published files to /var/task
COPY --from=publish /app/publish .

# Debug: Check runtime directory
RUN echo "Step 4: Checking runtime directory..." && ls -la /var/task

# Specify the Lambda handler
CMD ["CloudWayfinder.CloudWayfinderApi::CloudWayfinder.CloudWayfinderApi.LambdaEntryPoint::FunctionHandlerAsync"]

[Mike-Gilge]

This is my local entry point:

public class LocalEntryPoint
{
    public static void Main(string[] args)
    {
        CreateHostBuilder(args).Build().Run();
    }

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });
}

This is my lambda entry point:

public class LambdaEntryPoint : APIGatewayHttpApiV2ProxyFunction
{
    protected override void Init(IWebHostBuilder builder)
    {
        builder
            .UseStartup<Startup>();
    }
}

[Mike-Gilge]

So anyone else who runs into this issue... I am using an API Gateway authorizer to lock down the API Gateway to only accept requests from cloud front (because im using an HttpApi and wanted a WAF as well). Turns out when you do that the APIGatewayHttpApiV2ProxyFunction class overwrites existing authorization. I was able to fix this by overriding the FunctionHandlerAsync and setting the authorizer to null on the incoming request.