How to properly deal with HTTP 200 response with body with rlm_rest?

Arran Cudbard-Bell a.cudbardb at
Mon Apr 22 18:50:31 CEST 2019

> On Apr 22, 2019, at 12:12 PM, Martin Gignac <martin.gignac at> wrote:
> Hi Arran,
> Thanks for you response. I initially assumed that I should put:
>    rest
>    if (updated) {
>            ok
>    }

rest {
	updated = 1
if (updated) {

It's because the default action for updated in authenticate is return, so it just exits the authenticate section.

Authenticate in FreeRADIUS is meant to be for a module that runs locally on the server and does some sort of authentication by comparing the contents of the incoming packet with some secret information the server has access to. Local authentication modules don't usually return updated, which is why its counted as a failure if one does.

There's no real issue doing what you're doing though, just explaining why it doesn't work out of the box and you need to jump through a couple of extra hoops.

...and arguably the action for updated probably shouldn't be return, as it strongly hints there are more modules that need to be called.  I guess the return code priorities/actions were probably set in < v1.0.x, where there was no policy language, and there you really would only ever call one module in authenticate.

So that leaves two more permanent fixes, either:

- rlm_rest only returns "OK" for its authenticate method, which probably means it should just ignore body data.  Then if you wanted to do what you're doing now you'd call rest.authorize instead.
- The updated rcode in should be given a non 'return' priority.

I don't know if we can make either of those changes in v3.0.x, but maybe we can change it in v4.0.x.

Any though's Alan DeKok, Matthew Newton et al?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list