[Openid-specs-ab] Input requested on remaining logout issue: Back-channel logout error handling
Filip Skokan
panva.ip at gmail.com
Wed May 4 10:53:02 UTC 2022
Hello Mike, everyone,
2) is not in line with the discussion in #1487
<https://bitbucket.org/openid/connect/issues/1487>, we should not be giving
meaning to 5xx HTTP status codes.
I think 1) is fine but I do recognize 3) as a valid option to allow for
transmitting deployment-specific states.
Best,
*Filip*
On Wed, 4 May 2022 at 10:20, Mike Jones <Michael.Jones at microsoft.com> wrote:
> I’d like people to weigh in on whether to merge
> https://bitbucket.org/openid/connect/pull-requests/169/simplified-error-handling-to-use-http-400
> as-is or whether to modify it to make it possible to once again distinguish
> between invalid requests and failed requests.
>
>
>
> If you want to be able to distinguish between these two cases, do you want
> to use “error” and “error_description” parameters, as suggested by Andrii,
> or to use 400 and 501 HTTP response codes, as the specification currently
> does.
>
>
>
> In summary, please respond indicating your preference for:
>
> 1. Use HTTP 400 Bad Response for all error responses.
> 2. Use HTTP 400 Bad Response for invalid requests and HTTP 501 Not
> Implemented for unsuccessful logout requests.
> 3. Use HTTP 400 Bad Response for all error responses, but use “error”
> and “error_description” body parameters to distinguish between invalid and
> failed logout requests.
>
>
>
> Thank you,
>
> -- Mike
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220504/4afc8040/attachment.html>
More information about the Openid-specs-ab
mailing list