Backchannel Logout: Return HTTP Status Code 200

[SiebelsTim]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

The spec states (https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse)

If the logout succeeded, the RP MUST respond with HTTP 200 OK. However, note that some Web frameworks will substitute an HTTP 204 No Content response for an HTTP 200 OK when the HTTP body is empty. Therefore, OPs should be prepared to also process an HTTP 204 No Content response as a successful response.

In contrast to the spec, it is hardcoded to be 204.

nextjs-auth0/src/server/auth-client.ts

Line 553 in 92df43b

status: 204,

Reproduction

See referenced link to sourcecode

Additional context

In v3, we could overwrite the route handlers and change this ourselves:

export const POST = withErrorHandler(async function (
  request: NextRequest,
  context: AppRouteHandlerFnContext,
): Promise<Response> {
  const response = await getAuth0Instance().handleBackchannelLogout(request, context);
  // OpenID Connect Back-Channel Logout Spec requires a 200 response
  // Auth0 returns a 204 response, so we need to convert it to a 200
  if (response.status === 204) {
    return new Response(response.body, {
      status: 200,
      statusText: response.statusText,
      headers: response.headers,
    });
  }
  return response;
});

In v4, this is not working anymore as this is tightly coupled into the middleware.

nextjs-auth0 version

3,4

Next.js version

14

Node.js version

22

[guabu]

Hey @SiebelsTim 👋 Could you share what the use case for overriding the status code is? I ask because Auth0 accepts a 204 response and since we don't return a response body we are consistent with the spec:

However, note that some Web frameworks will substitute an HTTP 204 No Content response for an HTTP 200 OK when the HTTP body is empty. Therefore, OPs should be prepared to also process an HTTP 204 No Content response as a successful response.

[SiebelsTim]

Hi! I am thinking about using the library in conjunction with other providers. For instance, Ory Hydra expects a 200 and issues a warning on 204. Being spec compliant, or at least configurable, helps to integrate with different providers.

I understand if this library is not meant to be compatible with other providers. It worked well in v3 though.

[guabu]

Thanks for the context! The spec states that 204 is an acceptable response when there is no body and that's what's being returned by the SDK. OPs should be prepared to handle a 204 (No Content) response as well.