WriteRevocationResponse returns no error when there is an internal error

[mitar]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

WriteRevocationResponse returns 200 HTTP status code on any error except ErrInvalidRequest and ErrInvalidClient. This is problematic because I just had some bad code (internal error) but the error response was 200. So nothing was being revoked in my implementation, but nobody really detected this for some time.

Reproducing the bug

Pass some regular error to WriteRevocationResponse.

Relevant log output

No response

Relevant configuration

No response

Version

0.42.0

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

No response

[mitar]

So the error was ErrTemporarilyUnavailable returned from storeErrorsToRevocationError.

[aeneasr]

What would be the solution? The spec here requires us to send 200 except for 400 & 401

[mitar]

The spec is slightly confusing:

Here it references Section 5.2 of [RFC6749] but also later on says "If the server responds with HTTP status code 503" so at least 503 is allowed as well?

Other implementations seems to define 500 as return code as well: https://connect2id.com/products/server/docs/api/token-revocation

But yea, RFC6749 does not list server error (and 500 code) as possible response. But I think it would really be strange not to return 500 when there is some internal error?

[aeneasr]

I see - in the light of usuability issues I think it would be acceptable to return 500 which implies that the error needs to be retried - for example when the database is down.