Conversation
| private boolean isInvalidOrDisabledErrorCode(String errorCode){ | ||
| return StringUtils.equalsAny(errorCode, "401_key_invalid", "401_key_disabled"); |
There was a problem hiding this comment.
I'm a bit confused. The ticket says that Keycloak returns a 400 response for an invalid key, why not a 401?
Anyway, this change is for api-commons, but in the sources I don't see any error codes such as 401_key_invalid defined. Or is this code coming from Keycloak? If so, why don't we simply consider all 400 and 401 responses from Keycloak to be a 401 response for Entity API?
Also I looked at the api-commons-sb3 code and there we do have 401_empty_apikey and 401_missing_apikey error messages. The 401_key_disabled I didn't see. If we go with checking these 401_ error codes instead of the "real" keycloak validation response code then I propose to make the check more resilient and future proof by checking if the error code starts with 401_?
2 participants
No description provided.