Backchannel Logout: Return HTTP Status Code 200

[SiebelsTim]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

The spec states (https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse)

If the logout succeeded, the RP MUST respond with HTTP 200 OK. However, note that some Web frameworks will substitute an HTTP 204 No Content response for an HTTP 200 OK when the HTTP body is empty. Therefore, OPs should be prepared to also process an HTTP 204 No Content response as a successful response.

In contrast to the spec, it is hardcoded to be 204.

nextjs-auth0/src/server/auth-client.ts

Line 553 in 92df43b

status: 204,

Reproduction

See referenced link to sourcecode

Additional context

In v3, we could overwrite the route handlers and change this ourselves:

export const POST = withErrorHandler(async function (
  request: NextRequest,
  context: AppRouteHandlerFnContext,
): Promise<Response> {
  const response = await getAuth0Instance().handleBackchannelLogout(request, context);
  // OpenID Connect Back-Channel Logout Spec requires a 200 response
  // Auth0 returns a 204 response, so we need to convert it to a 200
  if (response.status === 204) {
    return new Response(response.body, {
      status: 200,
      statusText: response.statusText,
      headers: response.headers,
    });
  }
  return response;
});

In v4, this is not working anymore as this is tightly coupled into the middleware.

nextjs-auth0 version

3,4

Next.js version

14

Node.js version

22

[guabu]

Hey @SiebelsTim 👋 Could you share what the use case for overriding the status code is? I ask because Auth0 accepts a 204 response and since we don't return a response body we are consistent with the spec:

However, note that some Web frameworks will substitute an HTTP 204 No Content response for an HTTP 200 OK when the HTTP body is empty. Therefore, OPs should be prepared to also process an HTTP 204 No Content response as a successful response.