[Openid-specs-ab] Input requested on remaining logout issue: Back-channel logout error handling

Wed May 4 08:19:20 UTC 2022

I'd like people to weigh in on whether to merge https://bitbucket.org/openid/connect/pull-requests/169/simplified-error-handling-to-use-http-400 as-is or whether to modify it to make it possible to once again distinguish between invalid requests and failed requests.

If you want to be able to distinguish between these two cases, do you want to use "error" and "error_description" parameters, as suggested by Andrii, or to use 400 and 501 HTTP response codes, as the specification currently does.

In summary, please respond indicating your preference for:

  1.  Use HTTP 400 Bad Response for all error responses.
  2.  Use HTTP 400 Bad Response for invalid requests and HTTP 501 Not Implemented for unsuccessful logout requests.
  3.  Use HTTP 400 Bad Response for all error responses, but use "error" and "error_description" body parameters to distinguish between invalid and failed logout requests.

                                                       Thank you,
                                                       -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220504/bf86badf/attachment.html>