given this example application https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1 endpoint "/api/greeting", it is protected with the basic keycloak-connect setup. https://github.com/bucharest-gold/nodejs-rest-http-secured/blob/master/app.js#L49
If we run this locally, with "npm start", and just curl that endpoint, "curl http://localhost:3000/api/greeting" it will return with a 403.
There was an issue raised that it should be a 401, https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
The way this comment makes it sound, https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#L232 is that the 403 is correct
If we look at the complimentary vert.x and swarm examples, https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster and https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-secured
a similar curl will result in a 401 when not logged in.