[Openid-specs-ab] Issue #1029: authentication_failed error response (openid/connect)
Torsten Lodderstedt
issues-reply at bitbucket.org
Sun Jun 10 15:28:47 UTC 2018
New issue 1029: authentication_failed error response
https://bitbucket.org/openid/connect/issues/1029/authentication_failed-error-response
Torsten Lodderstedt:
OpenID Connect Core Spec states:
"If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.“
The spec does not state what treating this as an failed authentication attempt means.
In a discussion on the list the consensus was the OP should return a generic authentication failed error code to the RP and let it decide how to proceed.
The proposal is to use a new "authentication_failed" error code.
More information about the Openid-specs-ab
mailing list