Skip to content

Return 403 Forbidden instead of 401 when OPA denies authorization #321

New issue
New issue
Open
Open
Return 403 Forbidden instead of 401 when OPA denies authorization#321
Labels
enhancementNew feature or request
@francbartoli

Description

@francbartoli
francbartoli
opened on Dec 18, 2025

Description

When OPA returns allow: false for an authenticated user, the application currently returns 401 Unauthorized. According to HTTP semantics, this should be 403 Forbidden:

  • 401 Unauthorized: Authentication failed or missing credentials
  • 403 Forbidden: Authenticated but not authorized to access the resource

Current Behavior

When a user is authenticated via OIDC but OPA denies the request based on policy rules, the response is:

{"message": "Unauthorized"}

with status code 401.

Expected Behavior

The response should be:

{"message": "Forbidden"}

with status code 403.

Root Cause

This is a limitation of the upstream fastapi-opa library, which uses 401 for both authentication failures and authorization denials.

Related

A PR has been opened to fix this in the upstream library:

Action Items

  • Wait for the upstream fix to be merged and released
  • Update fastapi-opa dependency once the fix is available
  • Update tests in tests/test_opa_integration.py to expect 403 instead of 401

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions