[keycloak-user] 401 http status instead of 203 in case of unauthorized access to specific route

Sebastien Blanc sblanc at redhat.com
Fri May 3 05:30:45 EDT 2019 

Yah this is known bug https://issues.jboss.org/browse/KEYCLOAK-6810 , it's
need to be planned and fixed, I will follow up.

On Fri, May 3, 2019 at 11:24 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> I looked to the code and when bearerOnly is set to true, it will send in
> case of unauthorized user 403 status code not 401.
>
> R.
>
> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Hi,
>
> If you are using your node app just to expose APIs that your SPA will
> consume, you should flag your node-ap as "bearer-only" (in the keycloak
> config) , this will return a 401 if you user is not authenticated (and not
> attempt the redirect 302).
> This also means that your SPA must obtain the token by using the Keycloak
> Javascript library.
>
> Sebi
>
>
> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com>
> wrote:
>
>> Hello all,
>> I am new to keycloak and I tryed to use keycloak-connect to protect
>> routes on my server. From my SPA, I make a fetch call to the server route
>> that uses protect middleware. In case of unauthenticated user,
>> keycloak-connect returns redirect to login page (302 with location header).
>> Problem is that, original request was fetch and 302 causes that, browser
>> will call GET request for keycloak login page. This will not cause full
>> browser redirect to that login page. Wouldn't it be better to send 401
>> Unauthorized and let browser to handle redirect itself? Or am I doing
>> something wrong?
>>
>> This is related part in my code.
>>
>> const keycloakConfig = {
>>   authServerUrl: application.SERVER_URL,
>>   clientId: application.CLIENT_ID,
>>   realm: application.REALM,
>>   public: true
>> };
>>
>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>>
>> app.use(
>>   keycloak.middleware({
>>     logout: '/logout'
>>   })
>> );
>>
>> // Use routes
>> app.use('/api/v1/', keycloak.protect(), api);
>>
>>
>> Thank you for any help.
>> Radovan
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

More information about the keycloak-user mailing list