[Openid-specs-ab] Failed Authentication Attempts

Vladimir Dzhuvinov vladimir at connect2id.com
Sat May 26 21:42:44 UTC 2018

If you're looking for a standard error code for "user failed to
authenticate (with required ACR)", access_denied appears to be the
closest and only choice. What the RP would make of that error code is
another question :)


In practice, many OPs won't send the browser back to the RP if the user
failed to authenticate, i.e. the browser will remain at the login
screen, with the user given the option for some sort of recovery and
perhaps the option to cancel the request and return to the RP.

As for login_required and interaction_required - my reading of the spec
is that these are intended for error responses to prompt=none
authentication requests and shouldn't be used to signal other conditions.


> none
>     The Authorization Server MUST NOT display any authentication or
>     consent user interface pages. An error is returned if an End-User
>     is not already authenticated or the Client does not have
>     pre-configured consent for the requested Claims or does not
>     fulfill other conditions for processing the request. The error
>     code will typically be login_required, interaction_required, or
>     another code defined in Section
>     <http://openid.net/specs/openid-connect-core-1_0.html#AuthError>.
>     This can be used as a method to check for existing authentication
>     and/or consent. 


On 25/05/18 18:41, Filip Skokan via Openid-specs-ab wrote:
> Depending on the situation at the OP I believe this could be any of (in
> order of my preference) login_required, interaction_required, access_denied
> Best,
> *Filip Skokan*
> On Fri, May 25, 2018 at 4:13 PM, Torsten Lodderstedt via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>> Hi all,
>> I just came across the following text (again) in the OpenID Connect Core
>> Spec:
>> "If the acr Claim is requested as an Essential Claim for the ID Token with
>> a values parameter requesting specific Authentication Context Class
>> Reference values and the implementation supports the claims parameter, the
>> Authorization Server MUST return an acr Claim Value that matches one of the
>> requested values. The Authorization Server MAY ask the End-User to
>> re-authenticate with additional factors to meet this requirement. If this
>> is an Essential Claim and the requirement cannot be met, then the
>> Authorization Server MUST treat that outcome as a failed authentication
>> attempt.“
>> What error code is the OP supposed to use to signal the failed
>> authentication to the RP?
>> best regards,
>> Torsten.
>> _______________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180526/760fb1a5/attachment.html>

More information about the Openid-specs-ab mailing list