CIBA: error=expired_token in the push mode

Issue #143 resolved
Takahiko Kawasaki
created an issue

"12. Push Error Payload" lists expired_token as an error code and its description says as follows.

The auth_req_id has expired. The Client will need to make a new Authentication Request. OpenID Providers are not required to send this error, but Clients SHOULD support receiving this error.

However, there is no chance that OpenID provider implementations use the error code in the push mode unless the implementations repurpose the error code, for example, for a case where end-user authentication and authorization could not finish in a reasonable amount of time which is longer than the lifetime of the auth_req_id. So, I'm afraid it would be better to remove expired_token from the list of error codes applicable to the push error payload.

Comments (8)

  1. Takahiko Kawasaki reporter

    I mean, when the server gives up authenticating the end-user for some reasons (e.g. because the server found an error in the infrastructure by which the server communicates with the authentication device),

    (1) if the auth_req_id has not expired yet, expired_token is not appropriate as the reason of the error.

    (2) if the auth_req_id has already expired, however, the fact that the auth_req_id has already expired is not the reason of the error. It is just one of phenomena that were observed when the server gave up authenticating the end-user.

    In other words, when the server wants to say "I gave up accomplishing end-user authentication", expired_token is not the correct error reason regardless of whether the auth_req_id has expired or not.

    (Correct me if I'm missing something.)

  2. Joseph Heenan

    (2) if the auth_req_id has already expired, however, the fact that the auth_req_id has already expired is not the reason of the error. It is just one of phenomena that were observed when the server gave up authenticating the end-user.

    In general I think the AS should not call the client after auth_req_id has expired except when it wants to tell the client the request has expired.

    I think I agree with your other point - essentially you're suggesting that CIBA should allow one of the oauth2 errors like server_error or
    temporarily_unavailable to be sent in the push error payload?

  3. Dave Tonge

    So the difficulty is what should the error name be? Essentially we want a catch-all error which allows the OP to signal to the RP that it has given up with the request not because the user has denied access or because the session has expired.

    Thinking about this further I suggest that we adjust the definition of expired_token to cover the situation of the auth_req_id having expired or any other reason that the OP has decided to expire the session. It doesn't actually matter the reason that the session has expired, it just means that the RP should stop waiting for an answer and should potentially start a new flow.

    I'll open a PR with a suggested change for feedback.

  4. Brian Campbell

    Pull Request #62 has an alternative proposed resolution for this, as discussed some in the comments of pull request #57, that adds a new error code to section 12. Push Error Payload.

    transaction_failed:
    The OpenID Provider encountered an unexpected condition that prevented it from successfully completing the transaction. This general case error code can be used to inform the Client that the CIBA transaction was unsuccessful for reasons other than those explicitly defined by access_denied and expired_token.

  5. Log in to comment