From f3a3fefb962824fee31f8b810594265adb78ebf4 Mon Sep 17 00:00:00 2001
From: "huansong.tang" <huansong.tang@grabtaxi.com>
Date: Fri, 7 Oct 2022 15:52:24 +0800
Subject: [PATCH] Fix permissions API to return 401 instead of 500 when
 IdentityApi.getIdentity throws an error

Signed-off-by: huansong.tang <huansong.tang@grabtaxi.com>
---
 .changeset/early-hornets-pay.md                | 5 +++++
 plugins/auth-node/src/DefaultIdentityClient.ts | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/early-hornets-pay.md

diff --git a/.changeset/early-hornets-pay.md b/.changeset/early-hornets-pay.md
new file mode 100644
index 0000000000..25946a4361
--- /dev/null
+++ b/.changeset/early-hornets-pay.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-node': minor
+---
+
+Ensure `getIdentity` throws an `AuthenticationError` instead of a `NotAllowed` error when authentication fails
diff --git a/plugins/auth-node/src/DefaultIdentityClient.ts b/plugins/auth-node/src/DefaultIdentityClient.ts
index a7946c77ff..499fc62929 100644
--- a/plugins/auth-node/src/DefaultIdentityClient.ts
+++ b/plugins/auth-node/src/DefaultIdentityClient.ts
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
-import { AuthenticationError, NotAllowedError } from '@backstage/errors';
+import { AuthenticationError } from '@backstage/errors';
 import {
   createRemoteJWKSet,
   decodeJwt,
@@ -86,7 +86,7 @@ export class DefaultIdentityClient implements IdentityApi {
         getBearerTokenFromAuthorizationHeader(request.headers.authorization),
       );
     } catch (e) {
-      throw new NotAllowedError(e.message);
+      throw new AuthenticationError(e.message);
     }
   }