Status Attestation Responses

[balanza]

Refactor the descriptions of the HTTP responses for easier reads.

Key changes:

• all the possible HTTP status codes for a response are listed in the table so that readers can have a complete reference at a glimpse
• avoid response body when no useful information is returned to the client (example: in 5xx errors)
• error codes are listed in a dedicated table

Solves #219

[balanza]

Please note I tried to be more clear on the use of error codes:

Error codes are meant to provide additional information about the failure so that the User can be informed and take the appropriate action.

I wanted to enforce the concept that the error code MUST NOT revert the meaning of the http response (which is a failure).

[peppelinux]

is this intended to be here?

if yes, why it is not in the similar errors below?

[balanza]

I don't understand this comment.

[balanza]

Ok, maybe I understood what you meant.

The response body is required only for the cases in which it effectively adds information for the user. That is, there's no value in sending "server error" as a payload to a 500 Server Error response.

Also, 5xx errors are not always handled by the application but rather by gateways and proxies, so it may be impractical to customize them. As it brings no value, I'd rather not consider the body.

[fmarino-ipzs]

I agree with @balanza , the only status code that makes sense to include a body in is the 400 Bad Request status code. Having said that, probably we could remove the body column saying that only the 400 (Bad Request) status Code MUST include a body encoded in application/json format and MUST contain the following parameters: [...].

@peppelinux WDYT?

[peppelinux]

no, since we have server_error in RFC 6749
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1

[fmarino-ipzs]

Yes but here probably we can omit it as in the RFC6749 I read:

(This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)

Am I missing something?
Anyway, if we don't reach a consensus now, I suggest to put this PR to the next release if you agree.

[balanza]

I can add the error payload if we feel it's worth it, it doesn't affect the way the communication works.

Let me just point out that:

• RFC6749 does not design the endpoint to use multiple http codes as error, that's why it needs to differentiate by payload
• In RFC6749, the http response's content type is application/x-www-form-urlencoded, we are using application/json
• 5xx will usually be generated by systems other than the resource server (ex: load balancers, api gateways, firewalls, etc), so it's probable we will have payload not in the expected format.

[peppelinux]

duplicated: https://github.com/italia/eudi-wallet-it-docs/pull/221/files#diff-d3bfad4aa613161f55b96d232893081a0ac30d5127aca04dda54925b43aceb1eR250

[balanza]

They are the same snippets but they apply to different endpoints.

I think it's ok to have examples when you expect them, even if they are duplicated

[peppelinux]

I can approve and merge as it is

in the future we'll try to make some editorials to make the text shorter and use more references

[grausof]

LGTM

[peppelinux]

this is RFC6749

https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1

[peppelinux]

why it was removed?

[fmarino-ipzs]

It is simply moved below, @balanza is it right?

[balanza]

Details on every possible response have been moved in the response table: https://github.com/italia/eudi-wallet-it-docs/pull/221/files/fdd6d6fa93100f45a71fbab1dc082a5f85c176fa#diff-d3bfad4aa613161f55b96d232893081a0ac30d5127aca04dda54925b43aceb1eR401

Rationale: it gives the same information in a structured way, using fewer words. Implementers may like it.