session_state - upon authentication failure?

from: https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3

When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.

Section 3.1.2.5 of Core 1.0 is Successful Authentication Response

And yet https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.1 at the end of the section says

Note that the session state is origin bound. Session state SHOULD be returned upon an authentication failure.

In the case of an unsuccessful Authentication Request, the value of the session state returned SHOULD vary with each request. However, the browser session state need not change unless a meaningful event happens. In particular, many values of session state can be simultaneously valid, for instance by the introduction of random salt in the session states issued in response to unsuccessful Authentication Requests.

Should session_state be returned with error responses too? If so

which ones? all? (server_errors, invalid_request, invalid_client too?) just login_required, interaction_required, account_selection_required, authentication_failed?
the reference in section 3 should be updated, it points only to successful response
more details around the expected behaviours please, currently it's scattered around the specification and I would expect section 3 to hold all the normative pieces around the paramater, it's calculation, etc., together

Comments (7)