+1 please file a Jira for it.
On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc(a)redhat.com> wrote:
Hi Luke,
Yes this looks like a bug, 403 should only be returned if you are already
authorized but you don't have the needed role for instance. When you are
not authenticated we should just return a 401.
Could you open a ticket for us ?
Sebi
On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui(a)redhat.com>
wrote:
> Hi,
>
> given this example application
>
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
> endpoint "/api/greeting", it is protected with the basic keycloak-connect
> setup.
>
https://github.com/bucharest-gold/nodejs-rest-http-secured/
> blob/master/app.js#L49
>
>
> If we run this locally, with "npm start", and just curl that endpoint,
> "curl
http://localhost:3000/api/greeting" it will return with a 403.
>
> There was an issue raised that it should be a 401,
>
https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>
> The way this comment makes it sound,
>
https://github.com/keycloak/keycloak-nodejs-connect/blob/
> master/index.js#L232
> is
> that the 403 is correct
>
>
> If we look at the complimentary vert.x and swarm examples,
>
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
> and
>
>
https://github.com/wildfly-swarm-openshiftio-boosters/
> wfswarm-rest-http-secured
>
>
> a similar curl will result in a 401 when not logged in.
>
>
> I'm just wondering if that 403 the node adapter is correct and if so, why
> does it differ from the other runtimes
>
>
> -Luke
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev