Description
There are some endpoints in the AuthController. Each of them returns response code and this issue is to validate them and suggest the correct ones:
TokenNotValidException could be thrown from multiple reasons: empty string, non-parseable token, revoked token, invalid token, etc. But the response code is always 400 which should be related only to the token structure.
The authentication should be done by configuration. It is not necessary to read security context (just adding Authentication as a new argument is enough).
This implementation looks like it could receive annonymous authentication. Then it could end with NullPointerException.
https://github.com/zowe/api-layer/blob/2ce6e5bb44f5862a1fe91a6a4cd8398aff6f7a08/zaas-service/src/main/java/org/zowe/apiml/zaas/controllers/AuthController.java#L213-216
This method (and very probably also others similar to this one) could throw CachingServiceClientException. It generates 500 as default, but in the case of unacessible caching service it should 503.
If token is not valid for the scope (serviceId is not in the scope of the token), the response code should be 403
There is no content to return which is difference between 200 and 204. The response code should be 204 or 503, because the reason to don't distribute the token is that there is no service up (to be notified).
It is very theoretical but this method could return empty map. In this case the response code should be 404.
There is also issue #4175 to describe an issue with missing key. Depends on it there is no reason to return 500 when there is not exactly one record in the response. When there is no one it should in general return 404, but I guess there is an aim to tell user that system is not ready. Let's say we can check if z/OSMF (or OIDC provider in the case) is not ready and return 503.
When OIDC provider is no define 401 makes sense since the token was not validated. But this information is not helpfull. It is much better is we return 503 as service is not available.
notes:
- All these methods were copied to the
apimlmodule and so they have an WebFlux variant that should be fixed as well - It is based on conversation:
Metadata
Metadata
Assignees
Type
Projects
Status