authentication_failed error response

Issue #1029 resolved
Torsten Lodderstedt created an issue

OpenID Connect Core Spec states:

"If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.“

The spec does not state what treating this as an failed authentication attempt means. In a discussion on the list the consensus was the OP should return a generic authentication failed error code to the RP and let it decide how to proceed.

The proposal is to use a new "authentication_failed" error code.

Comments (9)

  1. Michael Jones

    Vittorio points out that "authentication_failed" is pretty generic and could cause confusion. What happened to the idea of a more specific "unable_to_meet_authentication_requirements" error?

    John points out that George Fletcher was worried about leaking information to attackers if the error code is too specific.

  2. Michael Jones

    On the April 1, 2019 call the working group requested that the error code be changed to unmet_authentication_requirements

  3. Torsten Lodderstedt reporter

    decision in the call on April 1st to ask WG for adoption. No objections were raised, so the draft is being adopted.

    Also, it was decided to change the error code name to unmet_authentication_requirements and

  4. Torsten Lodderstedt reporter

    changed error name according to the WG’s decision and merged the branch into default

  5. Michael Jones

    Torsten, can you please rename the draft to openid-connect-unmet-authentication-requirements-1_0.xml and update the name in the draft so that the name reflects the error code? Then I’ll publish the initial working group draft.

  6. Log in to comment