Authorizer message is not present in json response #2804
Description
Preflight checklist
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines."
- I could not find a solution in the existing issues, docs, nor discussions.
Describe the bug
When an failing authorizer has a message and verbose respond is activated, the message is included in the response, e.g. <p>authorization error: Example message.</p>
When the accept header restricts the output to json, the message is no longer included, i.e. {"code":"authorizationError"}.
How can the bug be reproduced
-
Start heimdall (decision or proxy mode) with failing authorizer+message in verbose respond mode.
-
curl localhost:9090 -iHTTP/1.1 403 Forbidden
Content-Type: text/html
X-Content-Type-Options: nosniff
Date: Tue, 14 Oct 2025 16:39:16 GMT
Content-Length: 44<p>authorization error: Example message.</p>
✔️ contains message
-
curl localhost:9090 -i -H "Accept: application/json"HTTP/1.1 403 Forbidden
Content-Type: application/json
X-Content-Type-Options: nosniff
Date: Tue, 14 Oct 2025 16:45:38 GMT
Content-Length: 29{"code":"authorizationError"}
❗ does not contain message
Relevant log output
2025-10-14T16:39:16Z INF TX started _client_ip=172.24.0.1 _http_host=localhost:9090 _http_method=GET _http_path=/ _http_scheme=http _http_user_agent=curl/8.16.0 _tx_start=1760459956
2025-10-14T16:39:16Z DBG Analyzing request _method=GET _url=http://localhost:9090/
2025-10-14T16:39:16Z INF Executing default rule
2025-10-14T16:39:16Z DBG Executing authenticator _id=anonymous _name=anonymous _type=anonymous
2025-10-14T16:39:16Z DBG Checking execution condition _id=fail
2025-10-14T16:39:16Z DBG Executing authorizer _id=fail _name=fail _type=cel
2025-10-14T16:39:16Z INF Pipeline step execution failed error="authorization error: Example message."
2025-10-14T16:39:16Z DBG Handling pipeline error
2025-10-14T16:39:16Z DBG No applicable error handler found
2025-10-14T16:39:16Z INF TX finished error="authorization error: Example message." _access_granted=false _body_bytes_sent=44 _client_ip=172.24.0.1 _http_host=localhost:9090 _http_method=GET _http_path=/ _http_scheme=http _http_status_code=403 _http_user_agent=curl/8.16.0 _subject=anonymous _tx_duration_ms=0 _tx_start=1760459956
2025-10-14T16:45:38Z INF TX started _client_ip=172.24.0.1 _http_host=localhost:9090 _http_method=GET _http_path=/ _http_scheme=http _http_user_agent=curl/8.16.0 _tx_start=1760460338
2025-10-14T16:45:38Z DBG Analyzing request _method=GET _url=http://localhost:9090/
2025-10-14T16:45:38Z INF Executing default rule
2025-10-14T16:45:38Z DBG Executing authenticator _id=anonymous _name=anonymous _type=anonymous
2025-10-14T16:45:38Z DBG Checking execution condition _id=fail
2025-10-14T16:45:38Z DBG Executing authorizer _id=fail _name=fail _type=cel
2025-10-14T16:45:38Z INF Pipeline step execution failed error="authorization error: Example message."
2025-10-14T16:45:38Z DBG Handling pipeline error
2025-10-14T16:45:38Z DBG No applicable error handler found
2025-10-14T16:45:38Z INF TX finished error="authorization error: Example message." _access_granted=false _body_bytes_sent=29 _client_ip=172.24.0.1 _http_host=localhost:9090 _http_method=GET _http_path=/ _http_scheme=http _http_status_code=403 _http_user_agent=curl/8.16.0 _subject=anonymous _tx_duration_ms=0 _tx_start=1760460338Relevant configuration
serve:
respond:
verbose: true
log:
level: debug
tracing:
enabled: false
metrics:
enabled: false
mechanisms:
authenticators:
- id: anonymous
type: anonymous
authorizers:
- id: fail
type: cel
config:
expressions:
- expression: >
false
message: "Example message."
default_rule:
execute:
- authenticator: anonymous
- authorizer: failVersion
0.17.2@sha256:67f98bf7d2b8f9ec06a6fe321a0a7bac2c71c6808ce2eac10289ace0aca00bb1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
We use heimdall to protect an api, and we want to support the user with sensible error messages.