Do we want to communicate details of why a back-channel logout failed?
Issue #1491
resolved
We used to distinguish between causes for back-channel logout failures by using 5xx HTTP error codes. There was consensus not to do so. PR #169 eliminated the use of 5xx error codes to make these distinctions.
Some have suggested adding “error” and “error_description” response body parameters to communicate these reasons. Are people in favor of this or is the spec fine as-is?
Comments (4)
-
reporter
-
reporter
-
- changed status to open
-
reporter
- changed status to resolved
- Log in to comment
This was discussed on the 16-May-22 working group call. The notes from the discussion are as follows:
Vittorio thought that having "error" and "error_description" would be useful to developers
But he also said that different error codes could leak information
Mike asked whether they should be mandatory or optional
Vittorio thought they should be optional
Mike said that if we do add this, we should define some specific error codes
Possibly from the OAuth 2.0 vocabulary