[keycloak-user] [keycloak-dev] Question on Node.js adapter - Wrong response code when not logged in, maybe

Luke Holmquist lholmqui at redhat.com
Tue Mar 6 08:29:59 EST 2018


thanks guys!!,  will do

On Tue, Mar 6, 2018 at 8:07 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> +1 please file a Jira for it.
>
> On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Hi Luke,
>>
>> Yes this looks like a bug, 403 should only be returned if you are already
>> authorized but you don't have the needed role for instance. When you are
>> not authenticated we should just return a 401.
>> Could you open a ticket for us ?
>>
>> Sebi
>>
>>
>>
>> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
>> wrote:
>>
>> > Hi,
>> >
>> > given this example application
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
>> > endpoint "/api/greeting", it is protected with the basic
>> keycloak-connect
>> > setup.
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
>> > blob/master/app.js#L49
>> >
>> >
>> > If we run this locally, with "npm start", and just curl that endpoint,
>> > "curl http://localhost:3000/api/greeting" it will return with a 403.
>> >
>> > There was an issue raised that it should be a 401,
>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>> >
>> > The way this comment makes it sound,
>> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
>> > master/index.js#L232
>> > is
>> > that the 403 is correct
>> >
>> >
>> > If we look at the complimentary vert.x and swarm examples,
>> > https://github.com/openshiftio-vertx-boosters/
>> vertx-secured-http-booster
>> > and
>> >
>> > https://github.com/wildfly-swarm-openshiftio-boosters/
>> > wfswarm-rest-http-secured
>> >
>> >
>> > a similar curl will result in a 401 when not logged in.
>> >
>> >
>> > I'm just wondering if that 403 the node adapter is correct and if so,
>> why
>> > does it differ from the other runtimes
>> >
>> >
>> > -Luke
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>


More information about the keycloak-user mailing list