New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix OIDC response code when authorization header is missing #5332
base: master
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5332 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 540 535 -5
Lines 13969 13838 -131
==========================================
- Hits 13969 13838 -131 ☔ View full report in Codecov by Sentry. |
📝 Docs preview for commit b515950 at: https://63107c7d01ad3a4be20ed7ce--fastapi.netlify.app |
Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.
📝 Docs preview for commit f98ebda at: https://63832321d901c53c90138745--fastapi.netlify.app |
📝 Docs preview for commit 9778525 at: https://6383634bcb239267a6f8ad2f--fastapi.netlify.app |
📝 Docs preview for commit 1c44941 at: https://638370a0acf33a7e83a9c71c--fastapi.netlify.app |
📝 Docs preview for commit 3195cf8 at: https://639ce73e2c118d080c47f755--fastapi.netlify.app |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue is still relevant to current version of FastAPI (0.110.0).
It was said in this comment to the similar issue, that it should be fixed, but we have to make sure that new solution follows the specification.
OIDC follows the OAuth2 specification here. And in the current implementation of OAuth2AuthorizationCodeBearer
and OAuth2PasswordBearer
status_code
and headers
are exactly the same.
Thanks for the suggestion @YuriiMotov |
The OIDC dependency currently returns a 403 response if an
Authorization
header is missing.Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.