<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- saved from url=(0050)https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi -->
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/"><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>OpenID Connect Core Error Code authentication_failed</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.toc" rel="Contents">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.1" rel="Chapter" title="1 Authentication Error Definition">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2" rel="Chapter" title="2 IANA Considerations">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1" rel="Chapter" title="2.1 OAuth Extensions Error Registration">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1.1" rel="Chapter" title="2.1.1 Registry Contents">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.references" rel="Chapter" title="3 Normative References">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.A" rel="Chapter" title="A Acknowledgements">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.B" rel="Chapter" title="B Notices">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.C" rel="Chapter" title="C Document History">
<link href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.10.0 - https://tools.ietf.org/tools/xml2rfc">
<link rel="schema.dct" href="http://purl.org/dc/terms/">
<meta name="dct.creator" content="Lodderstedt, T.">
<meta name="dct.identifier" content="urn:ietf:id:openid-connect-core-authentication-failed-1_0">
<meta name="dct.issued" scheme="ISO8601" content="2018-08-24">
<meta name="dct.abstract" content="OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.">
<meta name="description" content="OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.">
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left"></td>
<td class="right">T. Lodderstedt</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">YES</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">August 24, 2018</td>
</tr>
</tbody>
</table>
<p class="title">OpenID Connect Core Error Code authentication_failed<br>
<span class="filename">openid-connect-core-authentication-failed-1_0</span></p>
<h1 id="rfc.abstract"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.abstract">Abstract</a></h1>
<p>OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.</p>
<p>This specification augments OpenID Connect Core 1.0 by defining an additional error code <samp>authentication_failed</samp> to allow the OpenID Provider to signal to the Relying Party it failed to authenticate the End-User according to the requirements of the Relying Party. </p>
<hr class="noprint">
<h1 class="np" id="rfc.toc"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.1">Authentication Error Definition</a>
</li>
<li>2. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2">IANA Considerations</a>
</li>
<ul><li>2.1. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1">OAuth Extensions Error Registration</a>
</li>
<ul><li>2.1.1. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1.1">Registry Contents</a>
</li>
</ul></ul><li>3. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.references">Normative References</a>
</li>
<li>Appendix A. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.A">Acknowledgements</a>
</li>
<li>Appendix B. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.B">Notices</a>
</li>
<li>Appendix C. <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.C">Document History</a>
</li>
<li><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.authors">Author's Address</a>
</li>
</ul>
<h1 id="rfc.section.1">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.1">1.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#AuthError" id="AuthError">Authentication Error Definition</a>
</h1>
<p id="rfc.section.1.p.1">An Authentication Error Response is an OAuth 2.0 Authorization Error Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP. </p>
<p id="rfc.section.1.p.2">In addition to the error codes defined in Section 4.1.2.1 of <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#RFC6749" class="xref">OAuth 2.0</a> and Section 3.1.2.6. of <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Core" class="xref">OpenID Connect Core</a>, this specification also defines the following error code: </p>
<p></p>
<dl>
<dt>authentication_failed</dt>
<dd style="margin-left: 8">
<br> The Authorization Server is unable to meet the requirements imposed by the Relying Party regarding the authentication of the End-User. This error code SHALL be used if the Relying Party wants the OP to conform to a certain Authentication Context Class Reference value using an essential claim <samp>acr</samp> claim as specified in Section 5.5.1.1. of <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#OpenID.Core" class="xref">OpenID Connect Core</a> and the OP is unable to meet this requirement and MAY be used in other cases if appropriate. </dd>
</dl>
<p> </p>
<h1 id="rfc.section.2">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2">2.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#IANA" id="IANA">IANA Considerations</a>
</h1>
<h1 id="rfc.section.2.1">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1">2.1.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#OAuthErrorRegistry" id="OAuthErrorRegistry">OAuth Extensions Error Registration</a>
</h1>
<p id="rfc.section.2.1.p.1">This specification registers the following error in the IANA OAuth Extensions Error registry <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#IANA.OAuth.Parameters" class="xref">[IANA.OAuth.Parameters]</a> established by <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#RFC6749" class="xref">RFC 6749</a>. </p>
<h1 id="rfc.section.2.1.1">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.section.2.1.1">2.1.1.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#ErrorContents" id="ErrorContents">Registry Contents</a>
</h1>
<p></p>
<ul>
<li>Error name: <samp>authentication_failed</samp>
</li>
<li>Error usage location: Authorization Endpoint</li>
<li>Related protocol extension: OpenID Connect</li>
<li>Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net</li>
<li>Specification document(s): <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#AuthError" class="xref">Section 1</a> of this document</li>
</ul>
<p> </p>
<h1 id="rfc.references">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.references">3.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="IANA.OAuth.Parameters">[IANA.OAuth.Parameters]</b></td>
<td class="top">
<a>IANA</a>, "<a href="http://www.iana.org/assignments/oauth-parameters">OAuth Parameters</a>"</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.Core">[OpenID.Core]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a>, <a title="Microsoft">Jones, M.</a>, <a title="Google">de Medeiros, B.</a> and <a title="Salesforce">C. Mortimore</a>, "<a href="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a>", April 2017.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6749">[RFC6749]</b></td>
<td class="top">
<a>Hardt, D.</a>, "<a href="https://tools.ietf.org/html/rfc6749">The OAuth 2.0 Authorization Framework</a>", RFC 6749, DOI 10.17487/RFC6749, October 2012.</td>
</tr>
</tbody></table>
<h1 id="rfc.appendix.A">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.A">Appendix A.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#Acknowledgements" id="Acknowledgements">Acknowledgements</a>
</h1>
<p id="rfc.section.A.p.1">The OpenID Community would like to thank the following people for their contributions to this specification: </p>
<p></p>
<ul class="empty">
<li>Nat Sakimura</li>
<li>Phil Hunt</li>
<li>George Fletcher</li>
<li>Vladimir Dzhuvinov</li>
<li>Mike Jones</li>
</ul>
<p> </p>
<h1 id="rfc.appendix.B">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.B">Appendix B.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#Notices" id="Notices">Notices</a>
</h1>
<p id="rfc.section.B.p.1">Copyright (c) 2018 The OpenID Foundation.</p>
<p id="rfc.section.B.p.2">The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. </p>
<p id="rfc.section.B.p.3">The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification. </p>
<h1 id="rfc.appendix.C">
<a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.appendix.C">Appendix C.</a> <a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#History" id="History">Document History</a>
</h1>
<p id="rfc.section.C.p.1">[[ To be removed from the approved errata ]]</p>
<p id="rfc.section.C.p.2">-00 </p>
<ul><li>first version </li></ul>
<p> </p>
<h1 id="rfc.authors"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi#rfc.authors">Author's Address</a></h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Torsten Lodderstedt</span>
<span class="n hidden">
<span class="family-name">Lodderstedt</span>
</span>
</span>
<span class="org vcardline">YES.com AG</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a></span>
</address>
</div>
</body></html>