There doesn't appear to be a need to allow redirects. The server should never return them.
Does anyone want to comment on this, or shall we update the spec to prohibit redirects?
Whereas 4xx class errors like Temporarily Unavailable should just result in errors.
If a way to handle redirect response (301, 302, 303, 307 and 308) is not clarified, there may be clients follow redirects and clients do not follow redirects. That will cause compatibility problem. I think it is better to clarify how to handle redirect response.
Moreover, since SWD specification has description about how to handle 401 response code, I think Registration is also better to describe it even if it should be treated as error.
I propose the following sentence for the "3.2. Provider Configuration Response" section to clarify that responses with status codes other than 200 should be treated as errors.
- The response MUST return a plain text JSON object that contains a set of Claims that are a subset of those defined below.
+ The response MUST return the 200 OK response code and a plain text JSON object that contains a set of Claims that are a subset of those defined below.
SWD returns the issuer. If the issuer changes it becomes a whole new IdP from the perspective of the Client. It would be simpler if we disallow redirects, however there may be a legitimate reason that the config meta-data is moved to a new location. I would err on the side of flexibility on this, though any redirect needs to be over https:
In SWD redirecct, the response is returned as a JSON with HTTP response code 200.
I believe @lef's correction is at least clearer than what we have now.