[Openid-specs-mobile-profile] Issue #81: CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint (openid/mobile)

Dave Tonge issues-reply at bitbucket.org
Thu Aug 30 07:23:00 UTC 2018


New issue 81: CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint
https://bitbucket.org/openid/mobile/issues/81/ciba-authentication-error-responses-cant

Dave Tonge:

These are the errors defined for the Authentication Error Response:

 - invalid_request
 - invalid_scope
 - expired_token
 - unauthorized_client
 - access_denied
 - unknown_user_id

However the `access_denied` error can't be returned from the Backchannel Authentication Endpoint as it will only occur after the OP has attempted to authenticate the user out of bounds on the authentication device.

The `access_denied` error should therefore be returned from the token endpoint for polling and notification callback modes.

For the delivery callback mode (formerly the notification mode), the error should be sent to the client notification endpoint.




More information about the Openid-specs-mobile-profile mailing list