[Openid-specs-ab] Issue #1487: Back-Channel Logout Response and HTTP 504 Gateway Timeout (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Sun Apr 24 04:34:15 UTC 2022
New issue 1487: Back-Channel Logout Response and HTTP 504 Gateway Timeout
https://bitbucket.org/openid/connect/issues/1487/back-channel-logout-response-and-http-504
Andrii Deinega:
The section states that
> If the local logout succeeded but some downstream logouts have failed, the RP MUST respond with HTTP 504 Gateway Timeout.
from my personal experience, lots of network intermediaries can easily override 5\*\* errors and particularly, HTTP 504 \(Gateway Timeout\) status code. It isn’t uncommon to see all sorts of such network components between an RP and OP these days.
Furthermore, and maybe even more important, is that an RP say behind a K8S ingress controller could be literally unavailable or just overloaded. Thus, the controller has legitimate reasons to respond with 503 to _backchannel\_logout\_uri_ as well as to any other URL on the PP side.
I suggest relying on a special status in the _error_ and _error\_desciption_ parameters just like it happens in [https://datatracker.ietf.org/doc/html/rfc6749#section-5.2](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2) rather than relying on HTTP 504 to handle this situation. Otherwise, it seems to be very easy to “misinterpret“ obtained results or simply lose “Back-Channel Logout” requests.
More information about the Openid-specs-ab
mailing list