[Openid-specs-ab] Failed Authentication Attempts

Torsten Lodderstedt torsten at lodderstedt.net
Fri May 25 14:13:22 UTC 2018

Hi all,

I just came across the following text (again) in the OpenID Connect Core Spec: 

"If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.“

What error code is the OP supposed to use to signal the failed authentication to the RP?

best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180525/9b62b1c9/attachment.p7s>

More information about the Openid-specs-ab mailing list