[Openid-specs-ab] Failed Authentication Attempts

Filip Skokan panva.ip at gmail.com
Fri May 25 16:41:13 UTC 2018


Depending on the situation at the OP I believe this could be any of (in
order of my preference) login_required, interaction_required, access_denied

Best,
*Filip Skokan*

On Fri, May 25, 2018 at 4:13 PM, Torsten Lodderstedt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi all,
>
> I just came across the following text (again) in the OpenID Connect Core
> Spec:
>
> "If the acr Claim is requested as an Essential Claim for the ID Token with
> a values parameter requesting specific Authentication Context Class
> Reference values and the implementation supports the claims parameter, the
> Authorization Server MUST return an acr Claim Value that matches one of the
> requested values. The Authorization Server MAY ask the End-User to
> re-authenticate with additional factors to meet this requirement. If this
> is an Essential Claim and the requirement cannot be met, then the
> Authorization Server MUST treat that outcome as a failed authentication
> attempt.“
>
> What error code is the OP supposed to use to signal the failed
> authentication to the RP?
>
> best regards,
> Torsten.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180525/4321b6ce/attachment.html>


More information about the Openid-specs-ab mailing list