[Openid-specs-ab] Issue #2167: [Native SSO] Codify login_required / consent_required errors on token exchange? (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Thu Aug 15 15:23:59 UTC 2024
New issue 2167: [Native SSO] Codify login_required / consent_required errors on token exchange?
https://bitbucket.org/openid/connect/issues/2167/native-sso-codify-login_required
Vladimir Dzhuvinov:
When a native app performs back-channel SSO, the OP may decide that for some particular requested scopes the user may need re-authenticate, or consent explicitly \(in the browser\). At present we’re not sure how to signal this. That’s because the `invalid_grant` error is too general. I then realised that in OIDC Core we have the error codes `login_required` and `consent_required` \(and also `interaction_required`\) and that they may help to solve this.
Here is their definition in OIDC Core:
[https://openid.net/specs/openid-connect-core-1\_0.html#AuthError](https://openid.net/specs/openid-connect-core-1_0.html#AuthError)
I’d love to hear thoughts, or suggestions if something better could be done here.
More information about the Openid-specs-ab
mailing list