Fix OIDC response code when authorization header is missing #5332
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5332 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 540 535 -5
Lines 13969 13838 -131
==========================================
- Hits 13969 13838 -131 ☔ View full report in Codecov by Sentry. |
|
📝 Docs preview for commit b515950 at: https://63107c7d01ad3a4be20ed7ce--fastapi.netlify.app |
Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.
|
📝 Docs preview for commit f98ebda at: https://63832321d901c53c90138745--fastapi.netlify.app |
|
📝 Docs preview for commit 9778525 at: https://6383634bcb239267a6f8ad2f--fastapi.netlify.app |
|
📝 Docs preview for commit 1c44941 at: https://638370a0acf33a7e83a9c71c--fastapi.netlify.app |
|
📝 Docs preview for commit 3195cf8 at: https://639ce73e2c118d080c47f755--fastapi.netlify.app |
There was a problem hiding this comment.
The issue is still relevant to current version of FastAPI (0.110.0).
It was said in this comment to the similar issue, that it should be fixed, but we have to make sure that new solution follows the specification.
OIDC follows the OAuth2 specification here. And in the current implementation of OAuth2AuthorizationCodeBearer and OAuth2PasswordBearer status_code and headers are exactly the same.
|
Thanks for the suggestion @YuriiMotov |
The OIDC dependency currently returns a 403 response if an
Authorizationheader is missing.Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.