[keycloak-user] [keycloak-dev] Question on Node.js adapter - Wrong response code when not logged in, maybe

Luke Holmquist lholmqui at redhat.com
Tue Mar 6 08:32:04 EST 2018


https://issues.jboss.org/browse/KEYCLOAK-6810

On Tue, Mar 6, 2018 at 8:29 AM, Luke Holmquist <lholmqui at redhat.com> wrote:

> thanks guys!!,  will do
>
> On Tue, Mar 6, 2018 at 8:07 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> +1 please file a Jira for it.
>>
>> On Tue, Mar 6, 2018 at 3:56 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>>
>>> Hi Luke,
>>>
>>> Yes this looks like a bug, 403 should only be returned if you are already
>>> authorized but you don't have the needed role for instance. When you are
>>> not authenticated we should just return a 401.
>>> Could you open a ticket for us ?
>>>
>>> Sebi
>>>
>>>
>>>
>>> On Tue, Mar 6, 2018 at 3:25 AM, Luke Holmquist <lholmqui at redhat.com>
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > given this example application
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured , there is
>>> 1
>>> > endpoint "/api/greeting", it is protected with the basic
>>> keycloak-connect
>>> > setup.
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/
>>> > blob/master/app.js#L49
>>> >
>>> >
>>> > If we run this locally, with "npm start", and just curl that endpoint,
>>> > "curl http://localhost:3000/api/greeting" it will return with a 403.
>>> >
>>> > There was an issue raised that it should be a 401,
>>> > https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
>>> >
>>> > The way this comment makes it sound,
>>> > https://github.com/keycloak/keycloak-nodejs-connect/blob/
>>> > master/index.js#L232
>>> > is
>>> > that the 403 is correct
>>> >
>>> >
>>> > If we look at the complimentary vert.x and swarm examples,
>>> > https://github.com/openshiftio-vertx-boosters/vertx-secured-
>>> http-booster
>>> > and
>>> >
>>> > https://github.com/wildfly-swarm-openshiftio-boosters/
>>> > wfswarm-rest-http-secured
>>> >
>>> >
>>> > a similar curl will result in a 401 when not logged in.
>>> >
>>> >
>>> > I'm just wondering if that 403 the node adapter is correct and if so,
>>> why
>>> > does it differ from the other runtimes
>>> >
>>> >
>>> > -Luke
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>


More information about the keycloak-user mailing list