You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Auth0\Laravel\Http\Middleware\Stateless\Authorize Middleware returns 403 'Unauthorized' for unauthenticated users.
I can see how 403 should be returned when there's a defined scope and the user does not have authorization on that scope. But, when there is no authenticated user, the middleware sill returns 403, when it's usually expected to be 401.
Also, I'd expect 403 message to be 'Forbidden' instead of 'Unauthorized'.
401 => 'Unauthorized' => For unauthenticated user
403 => 'Forbidden' => For authenticated user with forbidden access to a specific scope.
How can we reproduce this issue?
Make a request to a route protected by auth0.authorize middleware without a valid token.
Response status code should be 401, but it will be 403.
Additional context
No response
The text was updated successfully, but these errors were encountered:
Hey, @jeovajr 👋 Thanks for reporting this! Give me a bit to investigate this, but I think I agree with your conclusion there, that 403 makes more sense in that case.
@evansims thank you very much for this! I also noted that now we have native support for Laravel Cache APIs. That's also great. Thanks for that as well.
SDK Version
7.0
PHP Version
PHP 8.1
Composer Version
2.x
What happened?
Auth0\Laravel\Http\Middleware\Stateless\Authorize Middleware returns 403 'Unauthorized' for unauthenticated users.
I can see how 403 should be returned when there's a defined scope and the user does not have authorization on that scope. But, when there is no authenticated user, the middleware sill returns 403, when it's usually expected to be 401.
Also, I'd expect 403 message to be 'Forbidden' instead of 'Unauthorized'.
401 => 'Unauthorized' => For unauthenticated user
403 => 'Forbidden' => For authenticated user with forbidden access to a specific scope.
How can we reproduce this issue?
Make a request to a route protected by auth0.authorize middleware without a valid token.
Response status code should be 401, but it will be 403.
Additional context
No response
The text was updated successfully, but these errors were encountered: