It would be great if the "onPostAuth" handler could support returning 403 (Forbidden). This would help API client's distinguish between Authentication and Authorization Failures.

This could be a config option to either hard-code the result for RbacCore.DENY, or allow a function to specify.

I would be more than happy to make the change if you are willing to accept a patch.

Please let me know.

Response code 403 is the correct response code, because it is deciding only about authorization and not about authentication. My terrible mistake :)

I will make it a configurable parameter for the deny and undetermined cases, with the current default 401 to avoid breaking changes. I will still assign this issue for a future major release, where 403 should become the default.

Version 2.0.1 released. Update your dependencies and check here how to use it.

Thank you very much @franciscogouveia. This is great!