[Openid-specs-mobile-profile] Issue #85: CIBA: Notifying the Client when a user fails to authenticate (openid/mobile)

Dave Tonge issues-reply at bitbucket.org
Tue Sep 11 19:30:36 UTC 2018


New issue 85: CIBA: Notifying the Client when a user fails to authenticate
https://bitbucket.org/openid/mobile/issues/85/ciba-notifying-the-client-when-a-user

Dave Tonge:

We discussed this issue on the call today.
The thrust of the discussion was the following states:

1. User authenticates but doesn't not authorize
2. User fails to authenticate
3. User never attempts to authenticate in a given (OP determined) time
4. The auth request itself expires

There was a wide ranging discussion, but I believe the general agreement for the above states was:

1. There must be a `access_denied` error
2. There could be an `access_denied` error or an `auth_timeout` error
3. There could be an `access_denied` error or an `auth_timeout` error
4. There should be a `auth_req_expired` error (but OPs shouldn't be required to notify Clients of this error)

Note there currently isn't a `auth_timeout` error - we can decide on the best name.
Also there is currently an `expired_token` error, but is used for multiple errors, this is why I think that perhaps something more explicit like `auth_req_expired` may be better.




More information about the Openid-specs-mobile-profile mailing list