ory
WriteRevocationResponse returns no error when there is an internal error
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
WriteRevocationResponse returns 200 HTTP status code on any error except ErrInvalidRequest and ErrInvalidClient. This is problematic because I just had some bad code (internal error) but the error response was 200. So nothing was being revoked in my implementation, but nobody really detected this for some time.
Reproducing the bug
Pass some regular error to WriteRevocationResponse.
Relevant log output
No response
Relevant configuration
No response
Version
0.42.0
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
So the error was ErrTemporarilyUnavailable returned from storeErrorsToRevocationError.
What would be the solution? The spec here requires us to send 200 except for 400 & 401
The spec is slightly confusing:
Here it references Section 5.2 of [RFC6749] but also later on says "If the server responds with HTTP status code 503" so at least 503 is allowed as well?
Other implementations seems to define 500 as return code as well: https://connect2id.com/products/server/docs/api/token-revocation
But yea, RFC6749 does not list server error (and 500 code) as possible response. But I think it would really be strange not to return 500 when there is some internal error?
I see - in the light of usuability issues I think it would be acceptable to return 500 which implies that the error needs to be retried - for example when the database is down.