Hi Luke,
Yes this looks like a bug, 403 should only be returned if you are already
authorized but you don't have the needed role for instance. When you are
not authenticated we should just return a 401.
Could you open a ticket for us ?
Sebi
On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui(a)redhat.com> wrote:
Hi,
given this example application
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
endpoint "/api/greeting", it is protected with the basic keycloak-connect
setup.
https://github.com/bucharest-gold/nodejs-rest-http-secured/
blob/master/app.js#L49
If we run this locally, with "npm start", and just curl that endpoint,
"curl
http://localhost:3000/api/greeting" it will return with a 403.
There was an issue raised that it should be a 401,
https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
The way this comment makes it sound,
https://github.com/keycloak/keycloak-nodejs-connect/blob/
master/index.js#L232
is
that the 403 is correct
If we look at the complimentary vert.x and swarm examples,
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
and
https://github.com/wildfly-swarm-openshiftio-boosters/
wfswarm-rest-http-secured
a similar curl will result in a 401 when not logged in.
I'm just wondering if that 403 the node adapter is correct and if so, why
does it differ from the other runtimes
-Luke
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev