What’s the

ktor-auth

idiomatic way to return a

403 Forbidden

for a found principal? I am able to authenticate the user with their credentials, but I committed to the clients that I would return a forbidden respond when the user is not authorized with a certain permission.

You could probably throw a custome exception like

UserNotAuthorizedException

and catch it inside

StatusPages

returning a 403 in that case