consistent status codes

[dianagudu]

Is there any documentation on what status codes are expected in different cases? Based on my testing (maybe not comprehensive list):

401:

• invalid token
• valid jwt but OP not supported

403:

• no token provided (either no authorisation headers or no bearer token in authorisation headers)
• requirements not satisfied
• no sub requirements

In the first item of 403, I wonder if this should be 401?

My understanding of the http codes:

• 401: Unauthorized is the status code to return when the client provides no credentials or invalid credentials.
• 403: Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

In any case, it would be nice to document this.

Originally posted by @dianagudu in https://github.com/indigo-dc/flaat/issues/47#issuecomment-1050858055

[dianagudu]

LE: this testing is done with fastapi.

With aio, the behaviour is as expected: https://github.com/indigo-dc/flaat/pull/47#issuecomment-1050867395

[dianagudu]

Seems the issue is not actually with flaat, but with fastapi: depends=Depends(HTTPBearer()) returns a 403 response when a bearer token is missing... https://github.com/tiangolo/fastapi/issues/2026#issuecomment-690217615. There is an open PR on that.