[Openid-specs-mobile-profile] Issue #85: CIBA: Notifying the Client when a user fails to authenticate (openid/mobile)
issues-reply at bitbucket.org
Tue Sep 11 19:30:36 UTC 2018
New issue 85: CIBA: Notifying the Client when a user fails to authenticate
We discussed this issue on the call today.
The thrust of the discussion was the following states:
1. User authenticates but doesn't not authorize
2. User fails to authenticate
3. User never attempts to authenticate in a given (OP determined) time
4. The auth request itself expires
There was a wide ranging discussion, but I believe the general agreement for the above states was:
1. There must be a `access_denied` error
2. There could be an `access_denied` error or an `auth_timeout` error
3. There could be an `access_denied` error or an `auth_timeout` error
4. There should be a `auth_req_expired` error (but OPs shouldn't be required to notify Clients of this error)
Note there currently isn't a `auth_timeout` error - we can decide on the best name.
Also there is currently an `expired_token` error, but is used for multiple errors, this is why I think that perhaps something more explicit like `auth_req_expired` may be better.
More information about the Openid-specs-mobile-profile