Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14299

Inconsistent HTTP Error codes across the authenticate and OAuth2 endpoints when downstream AM DS Repos are unavailable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 14.1.1, 14.5.0, 14.5.1, 6.0.0, 6.5.0
    • Fix Version/s: None
    • Labels:
    • Target Version/s:
    • Rank:
      1|hzxhdz:
    • Support Ticket IDs:

      Description

      The AM authenticate and OAuth2 endpoints respond with various different HTTP error codes if the Config, User or CTS stores become unavailable. See attached spreadsheet.

      400 is particularly misleading - indicating a badly formed request from the client when in fact these are all server side errors (refresh to access token using the access_token endpoint and userinfo calls if the Userstore is unavailable). There are also 401s (unauthorised) and 404s (not found) - all indicate client side errors, when again it's at the server end where the problem lies.

      The errors from any of these endpoints if any datastore becomes unavailable should be consistent - HTTP 503 perhaps or should server errors be hidden and a 403 returned?

      Also not sure if some of the OAuth2 endpoints must respond with a particular 40x error irrelevant of the problem to be spec compliant.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              shokard Darinder Shokar
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: