403 even though PassthroughAction Pass is set

[b-dreissigacker]

Hi,
I'm using version "0.4.2".
I set up KeycloakAuth as follows:

KeycloakAuth {
    detailed_responses: true,
    passthrough_policy: |e: &AuthError| match e {
        AuthError::NoAuthorizationHeader => PassthroughAction::Pass,
        _ => PassthroughAction::Return,
    },
    keycloak_oid_public_key: DecodingKey::from_rsa_pem(
        config.keycloak_pk.as_bytes(),
    )
    .unwrap(),
    required_roles: vec![],
};

web::resource("/")
    .guard(guard::Post())
    // .wrap(keycloak_auth)
    .to(public_api),

I would expect that requests without authorization would be passed on to the public_api handler,
but instead I get 403 errors without it being called.

The public_api function calls a graphql schema where some fields are publicly available and others require authorization and return a graphql authorization error.

I tried setting passthrough_policy to AlwaysPassPolicy with the same result.

Am I missing something or is this a bug in version "0.4.2"?

[dsferruzza]

Hi!

This is weird 🤔
The only error that can make this lib return a 403 error is when your middleware configuration requires some roles that are not there (https://github.com/dsferruzza/actix-web-middleware-keycloak-auth/blob/master/src/errors.rs#L32).
But as you have required_roles: vec![], this should not return this error (https://github.com/dsferruzza/actix-web-middleware-keycloak-auth/blob/master/src/roles.rs#L29-L30).

1. Could you enable the trace logs for this crates (set RUST_LOG=actix_web_middleware_keycloak_auth=trace and see if the server outputs some useful logs when you reproduce the error?
2. Are you sure the 403 response is returned by this lib? What is the body of this response?
3. If nothing else works, could you build a minimal example that reproduces this behavior? (maybe start for the simple example)