We have authorization server which is in charge of checking token validity, expiration etc. Which HTTP status code should be returned if the authorization server is down?
Should it be 401 with “Authorization server down” message, error 500, or something else?
2
503 Service Unavailable
https://www.rfc-editor.org/rfc/rfc7231#section-6.6.4
The 503 (Service Unavailable) status code indicates that the server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay. The server MAY send a Retry-After header field (Section 7.1.3) to suggest an appropriate amount of time for the client to wait before retrying the request.
503 is preferable to 4xx because it correctly communicates that the request itself was fine, that the problem resides on the server, and retrying the request at a later time should work.
503 is preferable to 500 because it does a better job expressing the fact that the condition is expected to be temporary (especially in the case where the origin server is able to provide Retry-After).
Prior art:
- https://stackoverflow.com/questions/25398364/http-status-code-for-external-dependency-error
- https://stackoverflow.com/questions/18709834/http-status-424-or-500-for-error-on-external-dependency