Open jpluscplusm opened 5 years ago
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/161422542
The labels on this github issue will be updated when the story is started.
@jpluscplusm I was assuming this was an issue against 404
ing, but the 200 is surprising. Are you using the cf-auth-proxy
pattern (you would have to write an equivalent auth proxy if not using a Cloud Foundry). Because on invalid auth against an oauth2 server, our auth proxy would cause a 404 I believe here.
Apologies, I'm no longer (and wasn't when you asked!) on the team managing the platform observing this problem.
Please close this issue if you'd like - I can't see me being able to update it with more info.
Providing an
Authorization
header containing invalid credentials to the meta API endpoint can't be distinguished from a successful request at the HTTP layer:We're finding that this makes troubleshooting the consumption of log-cache by our adapter (https://github.com/alphagov/paas-log-cache-adapter, which provides a
/metrics
endpoint for prometheus) interesting.Specifically, if a platform tenant misconfigures their credentials, then unless we assume that an empty
meta
response == "invalid creds", then we can't provide them with a hint that they should check their credentials.Is it possible to more clearly indicate the authentication failure, perhaps via an HTTP 4XX response?