Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP status code 401 for AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid #521

Open
soxofaan opened this issue Nov 21, 2023 · 2 comments

Comments

@soxofaan
Copy link
Member

AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid are currently associated with HTTP status code 403 (Forbidden):

openeo-api/errors.json

Lines 360 to 379 in c5a45b4

"AuthenticationSchemeInvalid": {
"description": "Invalid authentication scheme (e.g. Bearer).",
"message": "Authentication method not supported.",
"http": 403,
"tags": [
"Account Management"
]
},
"TokenInvalid": {
"description": null,
"message": "Authorization token has expired or is invalid. Please authenticate again.",
"http": 403,
"tags": [
"Account Management"
]
},
"CredentialsInvalid": {
"description": null,
"message": "Credentials are not correct.",
"http": 403,

While discussing some auth related integrations, @JanssenBrm noted that 401 (Unauthorized) is actually more correct for these error situations:

from RFC 9110:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.
The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it. ... If authentication credentials were provided in the request, the server considers them insufficient to grant access.

So 403 means that the provided credentials were correctly parsed and the users is fully authenticated, but additional access rules deny permission.
And 401 means that there is something wrong with the provided credentials, failing authentication.

@soxofaan soxofaan changed the title HTTP status code of AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid HTTP status code 401 for AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid Nov 21, 2023
@m-mohr
Copy link
Member

m-mohr commented Dec 8, 2023

Yeah, AuthenticationSchemeInvalid should probably be 401, TokenInvalid is debatable and both fit according to the quote, CredentialsInvalid is clearly 403 to me.

@soxofaan
Copy link
Member Author

TokenInvalid is debatable and both fit according to the quote

TokenInvalid (with message "Authorization token has expired or is invalid") only fits "401 ... lacks valid authentication credentials" in my understanding

CredentialsInvalid is clearly 403 to me.

I think I understand what you mean, but the current error code and message troubles that understanding I guess:

CredentialsInvalid: Credentials are not correct

you can easily interpret this as unparsable/expired tokens.
However "403 Forbidden" considers the the provided tokens as valid, but the associated permissions are insufficient. I think it makes sense to clarify this a bit in the error message (changing the error code is probably too much of a change), e.g.

The provided credentials do not give access to the requested resource

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants