[Openid-specs-mobile-profile] Issue #81: CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint (openid/mobile)
Dave Tonge
issues-reply at bitbucket.org
Thu Aug 30 07:23:00 UTC 2018
New issue 81: CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint
https://bitbucket.org/openid/mobile/issues/81/ciba-authentication-error-responses-cant
Dave Tonge:
These are the errors defined for the Authentication Error Response:
- invalid_request
- invalid_scope
- expired_token
- unauthorized_client
- access_denied
- unknown_user_id
However the `access_denied` error can't be returned from the Backchannel Authentication Endpoint as it will only occur after the OP has attempted to authenticate the user out of bounds on the authentication device.
The `access_denied` error should therefore be returned from the token endpoint for polling and notification callback modes.
For the delivery callback mode (formerly the notification mode), the error should be sent to the client notification endpoint.
More information about the Openid-specs-mobile-profile
mailing list