From f98ebdae1c8053eb700ad31e531bfdc0929e99b7 Mon Sep 17 00:00:00 2001
From: Pieter Ennes <pieter.ennes@fynchmobility.com>
Date: Thu, 1 Sep 2022 11:25:38 +0200
Subject: [PATCH 1/2] Fix OIDC response code

Using a 401 instead of 403 aligns with the HTTP standard when authentication is missing and with the existing OAuth2 dependency.
---
 fastapi/security/open_id_connect_url.py           | 6 ++++--
 tests/test_security_openid_connect.py             | 2 +-
 tests/test_security_openid_connect_description.py | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/fastapi/security/open_id_connect_url.py b/fastapi/security/open_id_connect_url.py
index 393614f7c..5b49fdbbd 100644
--- a/fastapi/security/open_id_connect_url.py
+++ b/fastapi/security/open_id_connect_url.py
@@ -4,7 +4,7 @@ from fastapi.openapi.models import OpenIdConnect as OpenIdConnectModel
 from fastapi.security.base import SecurityBase
 from starlette.exceptions import HTTPException
 from starlette.requests import Request
-from starlette.status import HTTP_403_FORBIDDEN
+from starlette.status import HTTP_401_UNAUTHORIZED
 
 
 class OpenIdConnect(SecurityBase):
@@ -27,7 +27,9 @@ class OpenIdConnect(SecurityBase):
         if not authorization:
             if self.auto_error:
                 raise HTTPException(
-                    status_code=HTTP_403_FORBIDDEN, detail="Not authenticated"
+                    status_code=HTTP_401_UNAUTHORIZED,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
                 )
             else:
                 return None
diff --git a/tests/test_security_openid_connect.py b/tests/test_security_openid_connect.py
index 8203961be..c87f750e5 100644
--- a/tests/test_security_openid_connect.py
+++ b/tests/test_security_openid_connect.py
@@ -70,5 +70,5 @@ def test_security_oauth2_password_other_header():
 
 def test_security_oauth2_password_bearer_no_header():
     response = client.get("/users/me")
-    assert response.status_code == 403, response.text
+    assert response.status_code == 401, response.text
     assert response.json() == {"detail": "Not authenticated"}
diff --git a/tests/test_security_openid_connect_description.py b/tests/test_security_openid_connect_description.py
index 218cbfc8f..1d32c7d12 100644
--- a/tests/test_security_openid_connect_description.py
+++ b/tests/test_security_openid_connect_description.py
@@ -76,5 +76,5 @@ def test_security_oauth2_password_other_header():
 
 def test_security_oauth2_password_bearer_no_header():
     response = client.get("/users/me")
-    assert response.status_code == 403, response.text
+    assert response.status_code == 401, response.text
     assert response.json() == {"detail": "Not authenticated"}

From 586938e13cce9b7d329a77b6bf08c8c41915bed1 Mon Sep 17 00:00:00 2001
From: Pieter Ennes <pieter.ennes@fynchmobility.com>
Date: Sun, 3 Mar 2024 10:02:40 +0100
Subject: [PATCH 2/2] Add assertion on www-authenticate header.

---
 tests/test_security_openid_connect.py             | 1 +
 tests/test_security_openid_connect_description.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/tests/test_security_openid_connect.py b/tests/test_security_openid_connect.py
index 8a548e5c7..5d5d34a67 100644
--- a/tests/test_security_openid_connect.py
+++ b/tests/test_security_openid_connect.py
@@ -40,6 +40,7 @@ def test_security_oauth2_password_other_header():
 def test_security_oauth2_password_bearer_no_header():
     response = client.get("/users/me")
     assert response.status_code == 401, response.text
+    assert response.headers["WWW-Authenticate"] == "Bearer"
     assert response.json() == {"detail": "Not authenticated"}
 
 
diff --git a/tests/test_security_openid_connect_description.py b/tests/test_security_openid_connect_description.py
index dc4bc649a..24f10801f 100644
--- a/tests/test_security_openid_connect_description.py
+++ b/tests/test_security_openid_connect_description.py
@@ -42,6 +42,7 @@ def test_security_oauth2_password_other_header():
 def test_security_oauth2_password_bearer_no_header():
     response = client.get("/users/me")
     assert response.status_code == 401, response.text
+    assert response.headers["WWW-Authenticate"] == "Bearer"
     assert response.json() == {"detail": "Not authenticated"}