generate_challenge#

gafaelfawr.auth.generate_challenge(context, auth_type, exc, scopes=None, *, error_in_headers=True)#

Convert an exception into an HTTP error with WWW-Authenticate.

Always return a status code of 401 or 403, even if we want to return a different status code to the client, but put the actual status code in X-Error-Status. This works around limitations of the NGINX auth_request module, which can only handle 401 and 403 status codes. The status code will be retrieved from the headers and fixed by custom NGINX configuration in an error_page location.

Similarly, put the actual body of the error in X-Error-Body so that it can be retrieved and sent to the client. Normally, NGINX discards the body returned by an auth_request handler.

Parameters:

  • context (RequestContext) – Context of the incoming request.

  • auth_type (AuthType | None) – Type of authentication to request, or None to not set a WWW-Authenticate challenge and only set the other headers.

  • exc (OAuthBearerError) – An exception representing a bearer token error.

  • scopes (set[str] | None, default: None) – Optional scopes to include in the challenge, primarily intended for InsufficientScopeError exceptions.

  • error_in_headers (bool, default: True) – Whether to put the actual error status in X-Error-Status instead of raising it. Disable this for OpenID Connect routes.

Returns:

A prepopulated fastapi.HTTPException object ready for raising. The headers will contain a WWW-Authenticate challenge.

Return type:

fastapi.HTTPException

On this page