[Openid-specs-ab] Failed Authentication Attempts
torsten at lodderstedt.net
Fri May 25 14:13:22 UTC 2018
I just came across the following text (again) in the OpenID Connect Core Spec:
"If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.“
What error code is the OP supposed to use to signal the failed authentication to the RP?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3872 bytes
Desc: not available
More information about the Openid-specs-ab