Skip to content

Fix OIDC response code when authorization header is missing #5332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
skion wants to merge 9 commits into from
Closed

Fix OIDC response code when authorization header is missing #5332

skion wants to merge 9 commits into from

Conversation

@skion
Copy link

@skion skion commented Sep 1, 2022
edited
Loading

The OIDC dependency currently returns a 403 response if an Authorization header is missing.

Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.

@codecov

This comment was marked as outdated.

Sign in to view
@skion skion marked this pull request as ready for review September 1, 2022 09:32
@github-actions

This comment was marked as outdated.

Sign in to view
@skion
Fix OIDC response code
f98ebda 
Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions
Copy link
Contributor

github-actions bot commented Dec 16, 2022

📝 Docs preview for commit 3195cf8 at: https://639ce73e2c118d080c47f755--fastapi.netlify.app

@Kludex Kludex mentioned this pull request Aug 31, 2023
Closed
@tiangolo tiangolo added bug Something isn't working p3 and removed investigate labels Jan 15, 2024
YuriiMotov
YuriiMotov approved these changes Mar 1, 2024
View reviewed changes
Copy link
Member

@YuriiMotov YuriiMotov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is still relevant to current version of FastAPI (0.110.0).

It was said in this comment to the similar issue, that it should be fixed, but we have to make sure that new solution follows the specification.

OIDC follows the OAuth2 specification here. And in the current implementation of OAuth2AuthorizationCodeBearer and OAuth2PasswordBearer status_code and headers are exactly the same.

@skion
Copy link
Author

skion commented Mar 3, 2024

Thanks for the suggestion @YuriiMotov

@Bladieblah
Copy link

Bladieblah commented Aug 2, 2024

Hello! Any idea when this will get merged?

@skion skion requested a review from YuriiMotov October 16, 2024 09:14
@skion
Copy link
Author

skion commented Oct 16, 2024

This seems still an issue in mainline as of today... cc @YuriiMotov

@YuriiMotov YuriiMotov mentioned this pull request Jun 11, 2025
Merged
@svlandeg
Copy link
Member

svlandeg commented Oct 21, 2025

Thanks for the contribution @skion 🙏. I'm closing this one in favour of #13786, which is more extensive and should (hopefully) address this issue once and for all.

@svlandeg svlandeg closed this Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YuriiMotov YuriiMotov Awaiting requested review from YuriiMotov

Assignees

No one assigned

Labels

bug Something isn't working p3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@skion @Bladieblah @svlandeg @YuriiMotov @tiangolo @alejsdev