Discovery 3.2 - HTTP response code

Issue #627 resolved
lepidum created an issue

Way to handle HTTP response codes like 3xx and 4xx are missing.

Comments (8)

  1. Michael Jones
    • changed status to open

    There doesn't appear to be a need to allow redirects. The server should never return them.

    Does anyone want to comment on this, or shall we update the spec to prohibit redirects?

    Whereas 4xx class errors like Temporarily Unavailable should just result in errors.

  2. lepidum reporter

    If a way to handle redirect response (301, 302, 303, 307 and 308) is not clarified, there may be clients follow redirects and clients do not follow redirects. That will cause compatibility problem. I think it is better to clarify how to handle redirect response.

    Moreover, since SWD specification has description about how to handle 401 response code, I think Registration is also better to describe it even if it should be treated as error.

  3. lepidum reporter

    I propose the following sentence for the "3.2. Provider Configuration Response" section to clarify that responses with status codes other than 200 should be treated as errors.

    - The response MUST return a plain text JSON object that contains a set of Claims that are a subset of those defined below.

    + The response MUST return the 200 OK response code and a plain text JSON object that contains a set of Claims that are a subset of those defined below.

  4. John Bradley

    SWD returns the issuer. If the issuer changes it becomes a whole new IdP from the perspective of the Client. It would be simpler if we disallow redirects, however there may be a legitimate reason that the config meta-data is moved to a new location. I would err on the side of flexibility on this, though any redirect needs to be over https:

  5. Nat Sakimura

    In SWD redirecct, the response is returned as a JSON with HTTP response code 200. I believe @lef's correction is at least clearer than what we have now.

  6. Michael Jones

    Consensus seems to be to not follow them, beause anytime you could add a redirect you could add a file

  7. Log in to comment