Authentication error shows as Possible CORS issue

[mrgrew]

Describe the bug

With SpringDoc using the actuator management port and an endpoint that expects an unauthorized response (401), unauthorized responses show an "Undocumented" code with details

Failed to fetch.
Possible Reasons:
CORS
Network Failure
URL scheme must be "http" or "https" for CORS request.

I would expect to see a "401" code with details "Unauthorized"

To Reproduce
Steps to reproduce the behavior:

1. Clone this repo: git clone https://github.com/mrgrew/swagger-auth-cors
2. Change to the repo directory and run it: ./gradlew bootRun
3. In a browser, navigate to http://localhost:9090/actuator/swagger-ui
4. Authorize with Bearer api-key
5. Open the "/api" endpoint and click "Execute".
6. You'll see a 200 status code with response {}
7. Use the Authorize button to "Logout"
8. Click "Execute" again and see an "Undocumented" code with details "Failed to fetch."
9. Expected output would be a "401" code with details "Unauthorized"

The demo above uses Spring Boot 3.1.2 and springdoc-openapi-starter-webflux-ui version 2.1.0.

Expected behavior

I expect a 401 response status code to appear as "401 Unauthorized", not "Undocumented Failed to fetch"

[bnasslahsen]

@mrgrew,

See answer here: #2277

[mrgrew]

@bnasslahsen,

Thanks for taking a look. The example I provide doesn't use OAuth2 so it seems my issue may be different.

I should add that once I put my API behind a Kubernetes Ingress, headers were added to the response and SpringDoc showed a "401" code with "Error: response status is 401" details rather than a failure indicating a CORS error.

The MDN Docs for 401 state a 401 response should return a "WWW-Authenticate" header. My example Spring Secuirty configuration doesn't return ANY headers - I wonder if that's what is causing the unexpected behavior.

I'm starting to think a 403 status would be a better response for this situation. I hope to have time to try that out.