[keycloak-dev] Question on Node.js adapter - Wrong response code when not logged in, maybe

Sebastien Blanc sblanc at redhat.com
Tue Mar 6 01:55:10 EST 2018


Hi Luke,

Yes this looks like a bug, 403 should only be returned if you are already
authorized but you don't have the needed role for instance. When you are
not authenticated we should just return a 401.
Could you open a ticket for us ?

Sebi



On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com> wrote:

> Hi,
>
> given this example application
> https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
> endpoint "/api/greeting", it is protected with the basic keycloak-connect
> setup.
> https://github.com/bucharest-gold/nodejs-rest-http-secured/
> blob/master/app.js#L49
>
>
> If we run this locally, with "npm start", and just curl that endpoint,
> "curl http://localhost:3000/api/greeting" it will return with a 403.
>
> There was an issue raised that it should be a 401,
> https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>
> The way this comment makes it sound,
> https://github.com/keycloak/keycloak-nodejs-connect/blob/
> master/index.js#L232
> is
> that the 403 is correct
>
>
> If we look at the complimentary vert.x and swarm examples,
> https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
> and
>
> https://github.com/wildfly-swarm-openshiftio-boosters/
> wfswarm-rest-http-secured
>
>
> a similar curl will result in a 401 when not logged in.
>
>
> I'm just wondering if that 403 the node adapter is correct and if so, why
> does it differ from the other runtimes
>
>
> -Luke
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list