[keycloak-user] [keycloak-dev] Question on Node.js adapter - Wrong response code when not logged in, maybe

Bruno Oliveira bruno at abstractj.org
Tue Mar 6 08:07:25 EST 2018


+1 please file a Jira for it.

On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi Luke,
>
> Yes this looks like a bug, 403 should only be returned if you are already
> authorized but you don't have the needed role for instance. When you are
> not authenticated we should just return a 401.
> Could you open a ticket for us ?
>
> Sebi
>
>
>
> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
> wrote:
>
> > Hi,
> >
> > given this example application
> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
> > endpoint "/api/greeting", it is protected with the basic keycloak-connect
> > setup.
> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
> > blob/master/app.js#L49
> >
> >
> > If we run this locally, with "npm start", and just curl that endpoint,
> > "curl http://localhost:3000/api/greeting" it will return with a 403.
> >
> > There was an issue raised that it should be a 401,
> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
> >
> > The way this comment makes it sound,
> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
> > master/index.js#L232
> > is
> > that the 403 is correct
> >
> >
> > If we look at the complimentary vert.x and swarm examples,
> > https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster
> > and
> >
> > https://github.com/wildfly-swarm-openshiftio-boosters/
> > wfswarm-rest-http-secured
> >
> >
> > a similar curl will result in a 401 when not logged in.
> >
> >
> > I'm just wondering if that 403 the node adapter is correct and if so, why
> > does it differ from the other runtimes
> >
> >
> > -Luke
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-user mailing list