<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OpenID Connect Core Error Code authentication_failed</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Authentication Error Definition">
<link href="#rfc.section.2" rel="Chapter" title="2 IANA Considerations">
<link href="#rfc.section.2.1" rel="Chapter" title="2.1 OAuth Extensions Error Registration">
<link href="#rfc.section.2.1.1" rel="Chapter" title="2.1.1 Registry Contents">
<link href="#rfc.references" rel="Chapter" title="3 Normative References">
<link href="#rfc.appendix.A" rel="Chapter" title="A Acknowledgements">
<link href="#rfc.appendix.B" rel="Chapter" title="B Notices">
<link href="#rfc.appendix.C" rel="Chapter" title="C Document History">
<link href="#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.19.0 - https://tools.ietf.org/tools/xml2rfc">
<link rel="schema.dct" href="http://purl.org/dc/terms/">
<meta name="dct.creator" content="Lodderstedt, T.">
<meta name="dct.identifier" content="urn:ietf:id:openid-connect-core-authentication-failed-1_0">
<meta name="dct.issued" scheme="ISO8601" content="2018-08-24">
<meta name="dct.abstract" content="OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.This specification augments OpenID Connect Core 1.0 by defining an additional error code authentication_failed to allow the OpenID Provider to signal to the Relying Party it failed to authenticate the End-User according to the requirements of the Relying Party. ">
<meta name="description" content="OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.This specification augments OpenID Connect Core 1.0 by defining an additional error code authentication_failed to allow the OpenID Provider to signal to the Relying Party it failed to authenticate the End-User according to the requirements of the Relying Party. ">
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left"></td>
<td class="right">T. Lodderstedt</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">YES</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">August 24, 2018</td>
</tr>
</tbody>
</table>
<p class="title">OpenID Connect Core Error Code authentication_failed<br>
<span class="filename">openid-connect-core-authentication-failed-1_0</span></p>
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
protocol. It enables Clients to verify the identity of the End-User
based on the authentication performed by an Authorization Server, as
well as to obtain basic profile information about the End-User in an
interoperable and REST-like manner.</p>
<p>This specification augments OpenID Connect Core 1.0 by defining an additional error code <samp>authentication_failed</samp>
to allow the OpenID Provider to signal to the Relying Party it failed
to authenticate the End-User according to the requirements of the
Relying Party. </p>
<hr class="noprint">
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Authentication Error Definition</a>
</li>
<li>2. <a href="#rfc.section.2">IANA Considerations</a>
</li>
<ul><li>2.1. <a href="#rfc.section.2.1">OAuth Extensions Error Registration</a>
</li>
<ul><li>2.1.1. <a href="#rfc.section.2.1.1">Registry Contents</a>
</li>
</ul></ul><li>3. <a href="#rfc.references">Normative References</a>
</li>
<li>Appendix A. <a href="#rfc.appendix.A">Acknowledgements</a>
</li>
<li>Appendix B. <a href="#rfc.appendix.B">Notices</a>
</li>
<li>Appendix C. <a href="#rfc.appendix.C">Document History</a>
</li>
<li><a href="#rfc.authors">Author's Address</a>
</li>
</ul>
<h1 id="rfc.section.1">
<a href="#rfc.section.1">1.</a> <a href="#AuthError" id="AuthError">Authentication Error Definition</a>
</h1>
<p id="rfc.section.1.p.1">An Authentication Error Response is an OAuth
2.0 Authorization Error Response message returned from the OP's
Authorization Endpoint in response to the Authorization Request message
sent by the RP. </p>
<p id="rfc.section.1.p.2">In addition to the error codes defined in Section 4.1.2.1 of <a href="#RFC6749" class="xref">OAuth 2.0</a> and Section 3.1.2.6. of <a href="#OpenID.Core" class="xref">OpenID Connect Core</a>, this specification also defines the following error code: </p>
<p></p>
<dl>
<dt>authentication_failed</dt>
<dd style="margin-left: 8">
<br> The Authorization Server is unable to meet the requirements imposed
by the Relying Party regarding the authentication of the End-User. This
error code SHALL be used if the Relying Party wants the OP to conform
to a certain Authentication Context Class Reference value using an
essential claim <samp>acr</samp> claim as specified in Section 5.5.1.1. of <a href="#OpenID.Core" class="xref">OpenID Connect Core</a> and the OP is unable to meet this requirement and MAY be used in other cases if appropriate. </dd>
</dl>
<p> </p>
<h1 id="rfc.section.2">
<a href="#rfc.section.2">2.</a> <a href="#IANA" id="IANA">IANA Considerations</a>
</h1>
<h1 id="rfc.section.2.1">
<a href="#rfc.section.2.1">2.1.</a> <a href="#OAuthErrorRegistry" id="OAuthErrorRegistry">OAuth Extensions Error Registration</a>
</h1>
<p id="rfc.section.2.1.p.1">This specification registers the following error in the IANA OAuth Extensions Error registry <a href="#IANA.OAuth.Parameters" class="xref">[IANA.OAuth.Parameters]</a> established by <a href="#RFC6749" class="xref">RFC 6749</a>. </p>
<h1 id="rfc.section.2.1.1">
<a href="#rfc.section.2.1.1">2.1.1.</a> <a href="#ErrorContents" id="ErrorContents">Registry Contents</a>
</h1>
<p></p>
<ul>
<li>Error name: <samp>authentication_failed</samp>
</li>
<li>Error usage location: Authorization Endpoint</li>
<li>Related protocol extension: OpenID Connect</li>
<li>Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net</li>
<li>Specification document(s): <a href="#AuthError" class="xref">Section 1</a> of this document</li>
</ul>
<p> </p>
<h1 id="rfc.references">
<a href="#rfc.references">3.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="IANA.OAuth.Parameters">[IANA.OAuth.Parameters]</b></td>
<td class="top">
<a>IANA</a>, "<a href="http://www.iana.org/assignments/oauth-parameters">OAuth Parameters</a>"</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.Core">[OpenID.Core]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a>, <a title="Microsoft">Jones, M.</a>, <a title="Google">de Medeiros, B.</a> and <a title="Salesforce">C. Mortimore</a>, "<a href="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a>", April 2017.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6749">[RFC6749]</b></td>
<td class="top">
<a>Hardt, D.</a>, "<a href="https://tools.ietf.org/html/rfc6749">The OAuth 2.0 Authorization Framework</a>", RFC 6749, DOI 10.17487/RFC6749, October 2012.</td>
</tr>
</tbody></table>
<h1 id="rfc.appendix.A">
<a href="#rfc.appendix.A">Appendix A.</a> <a href="#Acknowledgements" id="Acknowledgements">Acknowledgements</a>
</h1>
<p id="rfc.section.A.p.1">The OpenID Community would like to thank the following people for their contributions to this specification: </p>
<p></p>
<ul class="empty">
<li>Nat Sakimura</li>
<li>Phil Hunt</li>
<li>George Fletcher</li>
<li>Vladimir Dzhuvinov</li>
<li>Mike Jones</li>
</ul>
<p> </p>
<h1 id="rfc.appendix.B">
<a href="#rfc.appendix.B">Appendix B.</a> <a href="#Notices" id="Notices">Notices</a>
</h1>
<p id="rfc.section.B.p.1">Copyright (c) 2018 The OpenID Foundation.</p>
<p id="rfc.section.B.p.2">The OpenID Foundation (OIDF) grants to any
Contributor, developer, implementer, or other interested party a
non-exclusive, royalty free, worldwide copyright license to reproduce,
prepare derivative works from, distribute, perform and display, this
Implementers Draft or Final Specification solely for the purposes of (i)
developing specifications, and (ii) implementing Implementers Drafts
and Final Specifications based on such documents, provided that
attribution be made to the OIDF as the source of the material, but that
such attribution does not indicate an endorsement by the OIDF. </p>
<p id="rfc.section.B.p.3">The technology described in this specification
was made available from contributions from various sources, including
members of the OpenID Foundation and others. Although the OpenID
Foundation has taken steps to help ensure that the technology is
available for distribution, it takes no position regarding the validity
or scope of any intellectual property or other rights that might be
claimed to pertain to the implementation or use of the technology
described in this specification or the extent to which any license under
such rights might or might not be available; neither does it represent
that it has made any independent effort to identify any such rights.
The OpenID Foundation and the contributors to this specification make no
(and hereby expressly disclaim any) warranties (express, implied, or
otherwise), including implied warranties of merchantability,
non-infringement, fitness for a particular purpose, or title, related to
this specification, and the entire risk as to implementing this
specification is assumed by the implementer. The OpenID Intellectual
Property Rights policy requires contributors to offer a patent promise
not to assert certain patent claims against other contributors and
against implementers. The OpenID Foundation invites any interested
party to bring to its attention any copyrights, patents, patent
applications, or other proprietary rights that may cover technology that
may be required to practice this specification. </p>
<h1 id="rfc.appendix.C">
<a href="#rfc.appendix.C">Appendix C.</a> <a href="#History" id="History">Document History</a>
</h1>
<p id="rfc.section.C.p.1">[[ To be removed from the approved errata ]]</p>
<p id="rfc.section.C.p.2">-00 </p>
<ul><li>first version </li></ul>
<p> </p>
<h1 id="rfc.authors"><a href="#rfc.authors">Author's Address</a></h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Torsten Lodderstedt</span>
<span class="n hidden">
<span class="family-name">Lodderstedt</span>
</span>
</span>
<span class="org vcardline">yes.com</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a></span>
</address>
</div>
</body></html>