The current implementation does not differentiate between HTTP 401 Unauthorized and HTTP 403 Forbidden responses.
At the moment, a HTTP 401 response is returned during request validation – regardless of whether the issue is related to authentication (missing / invalid credentials) or authorisation (missing required permissions / scopes).
This does not align with standard HTTP response code usage and could be improved.
Expected Behaviour
It should be possible to differentiate error responses based on the nature of the security failure:
HTTP 401 Unauthorized should be returned for missing or invalid authentication credentials.HTTP 403 Forbidden should be returned for authenticated users lacking the necessary permissions or scopes.
The current implementation does not differentiate between
HTTP 401 UnauthorizedandHTTP 403 Forbiddenresponses.At the moment, a HTTP 401 response is returned during request validation – regardless of whether the issue is related to authentication (missing / invalid credentials) or authorisation (missing required permissions / scopes).
This does not align with standard HTTP response code usage and could be improved.
Expected Behaviour
It should be possible to differentiate error responses based on the nature of the security failure:
HTTP 401 Unauthorizedshould be returned for missing or invalid authentication credentials.HTTP 403 Forbiddenshould be returned for authenticated users lacking the necessary permissions or scopes.