Do we want to communicate details of why a back-channel logout failed?

Issue #1491 resolved
Michael Jones created an issue

We used to distinguish between causes for back-channel logout failures by using 5xx HTTP error codes. There was consensus not to do so. PR #169 eliminated the use of 5xx error codes to make these distinctions.

Some have suggested adding “error” and “error_description” response body parameters to communicate these reasons. Are people in favor of this or is the spec fine as-is?

Comments (4)

  1. Michael Jones reporter

    This was discussed on the 16-May-22 working group call. The notes from the discussion are as follows:

    Vittorio thought that having "error" and "error_description" would be useful to developers
    But he also said that different error codes could leak information
    Mike asked whether they should be mandatory or optional
    Vittorio thought they should be optional
    Mike said that if we do add this, we should define some specific error codes
    Possibly from the OAuth 2.0 vocabulary

  2. Log in to comment