Hi Luke, Yes this looks like a bug, 403 should only be returned if you are already authorized but you don't have the needed role for instance. When you are not authenticated we should just return a 401. Could you open a ticket for us ? Sebi On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui(a)redhat.com&gt; wrote: > Hi, > > given this example application > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1 > endpoint "/api/greeting", it is protected with the basic keycloak-connect > setup. > https://github.com/bucharest-gold/nodejs-rest-http-secured/ > blob/master/app.js#L49 > > > If we run this locally, with "npm start", and just curl that endpoint, > "curl http://localhost:3000/api/greeting" it will return with a 403. > > There was an issue raised that it should be a 401, > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52 > > The way this comment makes it sound, > https://github.com/keycloak/keycloak-nodejs-connect/blob/ > master/index.js#L232 > is > that the 403 is correct > > > If we look at the complimentary vert.x and swarm examples, > https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster > and > > https://github.com/wildfly-swarm-openshiftio-boosters/ > wfswarm-rest-http-secured > > > a similar curl will result in a 401 when not logged in. > > > I'm just wondering if that 403 the node adapter is correct and if so, why > does it differ from the other runtimes > > > -Luke > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

thanks guys!!, will do On Tue, Mar 6, 2018 at 8:07 AM, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: > +1 please file a Jira for it. > > On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: > >> Hi Luke, >> >> Yes this looks like a bug, 403 should only be returned if you are already >> authorized but you don't have the needed role for instance. When you are >> not authenticated we should just return a 401. >> Could you open a ticket for us ? >> >> Sebi >> >> >> >> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui(a)redhat.com&gt; >> wrote: >> >> > Hi, >> > >> > given this example application >> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is >> 1 >> > endpoint "/api/greeting", it is protected with the basic >> keycloak-connect >> > setup. >> > https://github.com/bucharest-gold/nodejs-rest-http-secured/ >> > blob/master/app.js#L49 >> > >> > >> > If we run this locally, with "npm start", and just curl that endpoint, >> > "curl http://localhost:3000/api/greeting" it will return with a 403. >> > >> > There was an issue raised that it should be a 401, >> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52 >> > >> > The way this comment makes it sound, >> > https://github.com/keycloak/keycloak-nodejs-connect/blob/ >> > master/index.js#L232 >> > is >> > that the 403 is correct >> > >> > >> > If we look at the complimentary vert.x and swarm examples, >> > https://github.com/openshiftio-vertx-boosters/vertx-secured- >> http-booster >> > and >> > >> > https://github.com/wildfly-swarm-openshiftio-boosters/ >> > wfswarm-rest-http-secured >> > >> > >> > a similar curl will result in a 401 when not logged in. >> > >> > >> > I'm just wondering if that 403 the node adapter is correct and if so, >> why >> > does it differ from the other runtimes >> > >> > >> > -Luke >> > _______________________________________________ >> > keycloak-dev mailing list >> > keycloak-dev(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >