<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Isn’t this what the acr response param is for...<div><dt><blockquote type="cite" style="font-family: verdana, charcoal, helvetica, arial, sans-serif; -webkit-text-size-adjust: auto;"><br></blockquote></dt><dt><span style="background-color: rgba(255, 255, 255, 0);">acr</span></dt><dd><span style="background-color: rgba(255, 255, 255, 0);">OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of <a class="info" href="http://openid.net/specs/openid-connect-core-1_0.html#ISO29115" style="font-weight: bold; position: relative; z-index: 24; text-decoration: none;">ISO/IEC 29115</a> [ISO29115] level 1. </span></dd><br><div id="AppleMailSignature">Phil</div><div><br>On May 27, 2018, at 9:00 AM, Torsten Lodderstedt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br><br></div><div><span></span></div><blockquote type="cite"><div><span>Hi Vladimir,</span><br><span></span><br><blockquote type="cite"><span>Am 26.05.2018 um 23:42 schrieb Vladimir Dzhuvinov via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>If you're looking for a standard error code for "user failed to authenticate (with required ACR)", access_denied appears to be the closest and only choice. What the RP would make of that error code is another question :)</span><br></blockquote><blockquote type="cite"><span><a href="http://openid.net/specs/openid-connect-core-1_0.html#AuthError">http://openid.net/specs/openid-connect-core-1_0.html#AuthError</a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>In practice, many OPs won't send the browser back to the RP if the user failed to authenticate, i.e. the browser will remain at the login screen, with the user given the option for some sort of recovery and perhaps the option to cancel the request and return to the RP.</span><br></blockquote><blockquote type="cite"><span>As for login_required and interaction_required - my reading of the spec is that these are intended for error responses to prompt=none authentication requests and shouldn't be used to signal other conditions.</span><br></blockquote><blockquote type="cite"><span><a href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest">http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest</a></span><br></blockquote><span></span><br><span>That’s my problem. In my use case, the OP is unable to meet the RP’s requirements either entirely or for the particular user (e.g. no second factor available). I think stopping request processing at the OP is not a good option. I would like to send the user agent back to the RP along with enough information to act upon. My current feeling is we need another, distinct error code - something like authentication_failed or unable_to_meet_authentication_requirements.</span><br><span></span><br><span>best regards,</span><br><span>Torsten. </span><br><span></span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>none</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Vladimir</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 25/05/18 18:41, Filip Skokan via Openid-specs-ab wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Depending on the situation at the OP I believe this could be any of (in</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>order of my preference) login_required, interaction_required, access_denied</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Best,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>*Filip Skokan*</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>On Fri, May 25, 2018 at 4:13 PM, Torsten Lodderstedt via Openid-specs-ab <</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span><a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>wrote:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Hi all,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>I just came across the following text (again) in the OpenID Connect Core</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Spec:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>"If the acr Claim is requested as an Essential Claim for the ID Token with</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>a values parameter requesting specific Authentication Context Class</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Reference values and the implementation supports the claims parameter, the</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Authorization Server MUST return an acr Claim Value that matches one of the</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>requested values. The Authorization Server MAY ask the End-User to</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>re-authenticate with additional factors to meet this requirement. If this</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>is an Essential Claim and the requirement cannot be met, then the</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Authorization Server MUST treat that outcome as a failed authentication</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>attempt.“</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>What error code is the OP supposed to use to signal the failed</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>authentication to the RP?</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>best regards,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Torsten.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>_______________________________________________</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Openid-specs-ab mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br></blockquote><blockquote type="cite"><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></blockquote><span></span><br></div></blockquote></div></body></html>