fix: give correct unauthorized response on openid connect auth

According to https://www.rfc-editor.org/rfc/rfc9110.html#section-15.5.2 the correct response in this case of missing value is 401.
tiangolo · Mar 25, 2023 · 854bba3 · 854bba3
1 parent d666ccb
commit 854bba3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/fastapi/security/open_id_connect_url.py b/fastapi/security/open_id_connect_url.py
@@ -4,7 +4,7 @@
 from fastapi.security.base import SecurityBase
 from starlette.exceptions import HTTPException
 from starlette.requests import Request
-from starlette.status import HTTP_403_FORBIDDEN
+from starlette.status import HTTP_401_UNAUTHORIZED
 
 
 class OpenIdConnect(SecurityBase):
@@ -27,7 +27,7 @@ async def __call__(self, request: Request) -> Optional[str]:
         if not authorization:
             if self.auto_error:
                 raise HTTPException(
-                    status_code=HTTP_403_FORBIDDEN, detail="Not authenticated"
+                    status_code=HTTP_401_UNAUTHORIZED, detail="Unauthorized"
                 )
             else:
                 return None