When introspection fails return unauthorized

director/director.go

@@ -93,6 +93,8 @@ func (d *Director) Director(r *http.Request) {
 			*r = *r.WithContext(context.WithValue(r.Context(), requestDenied, &directorError{err: err, statusCode: http.StatusForbidden}))
 		case helper.ErrMissingBearerToken:
 			*r = *r.WithContext(context.WithValue(r.Context(), requestDenied, &directorError{err: err, statusCode: http.StatusUnauthorized}))
+		case helper.ErrUnauthorized:
+			*r = *r.WithContext(context.WithValue(r.Context(), requestDenied, &directorError{err: err, statusCode: http.StatusUnauthorized}))
 		case helper.ErrMatchesNoRule:
 			*r = *r.WithContext(context.WithValue(r.Context(), requestDenied, &directorError{err: err, statusCode: http.StatusNotFound}))
 		case helper.ErrMatchesMoreThanOneRule:

evaluator/evaluator_warden.go

@@ -94,7 +94,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 				Errorf("Expected warden response to return status code 200.")
 			return nil, errors.Errorf("Token introspection expects status code %d but got %d", http.StatusOK, response.StatusCode)
 		} else if !introspection.Active {
-			return nil, errors.WithStack(helper.ErrForbidden)
+			return nil, errors.WithStack(helper.ErrUnauthorized)
 		}
 
 		return &Session{

helper/errors.go

@@ -5,6 +5,7 @@ import "github.com/pkg/errors"
 var (
 	ErrMissingBearerToken     = errors.New("This action requires authorization but no bearer token was given")
 	ErrForbidden              = errors.New("Access credentials are not sufficient to access this resource")
+	ErrUnauthorized           = errors.New("Access credentials are either expired or missing a scope")
 	ErrMatchesMoreThanOneRule = errors.New("Expected exactly one rule but found multiple rules")
 	ErrMatchesNoRule          = errors.New("Requested url does not match any rules")
 	ErrResourceNotFound       = errors.New("The requested resource could not be found")