[Openid-specs-ab] OP specific error code in authz error response

John Bradley ve7jtb at ve7jtb.com
Fri Dec 17 14:28:29 UTC 2010 

The spec is under revision now.   We are attempting to harmonize with the openID connect proposal as much as possible.  
This should allow for a single core spec.

We are also working with MS, Google and Facebook on the JSON token format.  

We can certainly look at making the error codes extensible.  However extendibility on error codes has related interoperability problems in other protocols.

If you have specific ideas about what you would like, or are trying to do, please post them to the list.

John B.


On 2010-12-17, at 3:58 AM, Tatsuo Kudo wrote:

> Hi,
> 
> I was wondering if the Artifact Binding could allow OPs to specify
> custom error codes in "error" parameter described in the section 8.5.2
> of the specification.  Can anyone clarify that?
> 
> I am in the process of designing APIs of our commercial identity
> federation services which leverage the AB spec and would like to
> utilize the error parameter to indicate some service specific error
> reasons to RPs.
> 
> As per the current version of RC3, OP seems to be prohibited to
> include any codes other than those described.  Is it possible to make
> some spec changes to include other codes?
> 
> 8.5.2.  End-user Denies Authorization or Invalid Request FIle
> https://openid4.us/specs/ab/#authz_error
> ----------------------------------------------------------------------
> 8.5.2.  End-user Denies Authorization or Invalid Request FIle
> 
>    * error - A single error code as described below.
>    * request_uri - Set to the exact value received from the RP.
>    * state - Set to the exact value received from the RP.
> 
> No other parameter SHOULD be returned. The entire URL MUST NOT exceed
> 512 bytes.
> 
> Error codes are as follows:
> 
>    * invalid_request - The request is missing a required parameter,
>      includes an unsupported parameter or parameter value, or is
>      otherwise malformed.
> 
>    * invalid_client - The client identifier provided is
>      invalid. unauthorized_client The client is not authorized to use
>      the requested response type.
> 
>    * redirect_uri_mismatch - The redirection URI provided does not
>      match a pre-registered value.
> 
>    * access_denied - The end-user or authorization server denied the
>      request.
> 
>    * unsupported_response_type - The requested response type is not
>      supported by the authorization server.
> 
>    * invalid_scope - The requested scope is invalid, unknown, or
>      malformed.
> 
>    * setup_needed - "immediate" request denied so that the user
>      interaction was required.
> ----------------------------------------------------------------------
> 
> Thanks,
> Tatsuo.
> 
> PLEASE READ:This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify
> the sender and delete this e-mail.
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101217/697c38d4/attachment.p7s>

More information about the Openid-specs-ab mailing list