search

openid / authzen

Proposed standard for an Authorization API
30 stars 10 forks source link

Clarify Unauthorized / Forbidden Response #86

Closed independentid closed 1 month ago

independentid commented 4 months ago

In the spec the error status reponses are specified:

401 | Unauthorized | An error message string 403 | Forbidden | An error message string

Suggest clarifying that

HTTP Status responses are always in regards to the use of the PDP decision API and are unrelated to the decision outcomes.
A status 401 from the PDP itself means the HTTP client (usually a PEP) is not authorized to call the PDP (e.g. because no authorization header was provided or was invalid). Likewise, an HTTP Status 403 being returned by a PEP to its client would normally be based on a status 200 response from the PDP containing a "deny" decision.

ogazitt commented 2 months ago

Thanks @independentid, good suggestion!

Addressed by https://github.com/openid/authzen/pull/118