OIDC Error Handling for invalid & expired tokens #5019
Comments
|
By the way: when making a request without access token, quarkus responds with HTTP 401 Not authorized |
|
@xfh Can you please try |
|
Ah nice, a new release. I'll try directly. |
|
Now I get HTTP 403 and no error message in the log. I think it used to be 401 before, but I don't really care which one. Looks good to me. |
|
Thanks for looking this. @sberyozkin another thing to consider in the guides, right ? |
|
@xfh re the empty log, please watch this issue. |
|
@pedroigor I was actually going to ask you about the statuses :-), as I thought 403 was only for the permissions related failure. I guess 401 and 403 are just used interchangeably by various OIDC adapters. If you think it is worth documenting 401 vs 403 now then sure, please, or we can wait a bit, thanks |
|
Added a test for this scenario. See #5038. |
|
@pedroigor cool, thanks; 403 works as well I think |
|
@pedroigor thanks for the explanation. You can close the issue. |
Describe the bug
With the old Keycloak extension, invalid or expired tokens resulted in common HTTP 401 responses. Since the refactoring of the security layer, such a request results in a HTTP 500 response:
A requests with e.g. an unauthorised role still results in HTTP 403
Access forbidden: role not allowed, so I am guessing the exception mapping for authentication has been forgotten.Expected behavior
A HTTP 401 response like
Unauthorised: invalid tokenorUnauthorised: expired token.Actual behavior
Internal Server Error as in the screenshot bellow.
To Reproduce
Steps to reproduce the behavior:
Screenshots
Environment (please complete the following information):
uname -aorver: Linux 4.19.72-gentoojava -version: 1.8.0_202 Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)The text was updated successfully, but these errors were encountered: