authz: Change error code from 403 to 401 (#259)

Closes #256
ory · Sep 23, 2019 · c17e564 · c17e564
1 parent 72a2333
commit c17e564
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/pipeline/authn/authenticator_jwt.go b/pipeline/authn/authenticator_jwt.go
@@ -95,7 +95,7 @@ func (a *AuthenticatorJWT) Authenticate(r *http.Request, config json.RawMessage,
 		ScopeStrategy: a.c.ToScopeStrategy(cf.ScopeStrategy, "authenticators.jwt.Config.scope_strategy"),
 	})
 	if err != nil {
-		return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
+		return nil, helper.ErrUnauthorized.WithReason(err.Error()).WithTrace(err)
 	}
 
 	claims, ok := pt.Claims.(jwt.MapClaims)

diff --git a/pipeline/authn/authenticator_jwt_test.go b/pipeline/authn/authenticator_jwt_test.go
@@ -33,6 +33,7 @@ import (
 
 	"github.com/ory/x/urlx"
 
+	"github.com/ory/herodot"
 	"github.com/ory/oathkeeper/internal"
 	. "github.com/ory/oathkeeper/pipeline/authn"
 
@@ -71,6 +72,7 @@ func TestAuthenticatorJWT(t *testing.T) {
 			r          *http.Request
 			config     string
 			expectErr  bool
+			expectCode int
 			expectSess *AuthenticationSession
 		}{
 			{
@@ -169,8 +171,9 @@ func TestAuthenticatorJWT(t *testing.T) {
 					"exp": now.Add(time.Hour).Unix(),
 					"nbf": now.Add(time.Hour).Unix(),
 				})}}},
-				config:    `{}`,
-				expectErr: true,
+				config:     `{}`,
+				expectErr:  true,
+				expectCode: 401,
 			},
 			{
 				d: "should fail because JWT iat is in future",
@@ -179,8 +182,9 @@ func TestAuthenticatorJWT(t *testing.T) {
 					"exp": now.Add(time.Hour).Unix(),
 					"iat": now.Add(time.Hour).Unix(),
 				})}}},
-				config:    `{}`,
-				expectErr: true,
+				config:     `{}`,
+				expectErr:  true,
+				expectCode: 401,
 			},
 			{
 				d: "should pass because JWT is missing scope",
@@ -218,8 +222,9 @@ func TestAuthenticatorJWT(t *testing.T) {
 					"sub": "sub",
 					"exp": now.Add(-time.Hour).Unix(),
 				})}}},
-				config:    `{}`,
-				expectErr: true,
+				config:     `{}`,
+				expectErr:  true,
+				expectCode: 401,
 			},
 		} {
 			t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
@@ -230,6 +235,9 @@ func TestAuthenticatorJWT(t *testing.T) {
 				tc.config, _ = sjson.Set(tc.config, "jwks_urls", keys)
 				session, err := a.Authenticate(tc.r, json.RawMessage([]byte(tc.config)), nil)
 				if tc.expectErr {
+					if tc.expectCode != 0 {
+						assert.Equal(t, tc.expectCode, herodot.ToDefaultError(err, "").StatusCode(), "Status code mismatch")
+					}
 					require.Error(t, err)
 				} else {
 					require.NoError(t, err, "%#v", errors.Cause(err))

diff --git a/test/e2e/okclient/main.go b/test/e2e/okclient/main.go
@@ -58,7 +58,7 @@ func main() {
 	}
 
 	res, body = requestWithJWT("not.valid.token")
-	if res.StatusCode != 403 {
+	if res.StatusCode != 401 {
 		panic("proxy: expected 401: " + body)
 	}
 
@@ -68,7 +68,7 @@ func main() {
 	}
 
 	res, body = decisionWithJWT("not.valid.token")
-	if res.StatusCode != 403 {
+	if res.StatusCode != 401 {
 		panic("decision: expected 401: " + body)
 	}
 }