CIBA: error=expired_token in the push mode
Issue #143
resolved
"12. Push Error Payload" lists expired_token as an error code and its description says as follows.
The
auth_req_idhas expired. The Client will need to make a new Authentication Request. OpenID Providers are not required to send this error, but Clients SHOULD support receiving this error.
However, there is no chance that OpenID provider implementations use the error code in the push mode unless the implementations repurpose the error code, for example, for a case where end-user authentication and authorization could not finish in a reasonable amount of time which is longer than the lifetime of the auth_req_id. So, I'm afraid it would be better to remove expired_token from the list of error codes applicable to the push error payload.
Comments (8)
-
reporter
-
(2) if the auth_req_id has already expired, however, the fact that the auth_req_id has already expired is not the reason of the error. It is just one of phenomena that were observed when the server gave up authenticating the end-user.
In general I think the AS should not call the client after auth_req_id has expired except when it wants to tell the client the request has expired.
I think I agree with your other point - essentially you're suggesting that CIBA should allow one of the oauth2 errors like server_error or temporarily_unavailable to be sent in the push error payload?
-
So we have this issue open: https://bitbucket.org/openid/mobile/issues/85/ciba-notifying-the-client-when-a-user Please take a look and see what you think of the suggestions.
-
So the difficulty is what should the error name be? Essentially we want a catch-all error which allows the OP to signal to the RP that it has given up with the request not because the user has denied access or because the session has expired.
Thinking about this further I suggest that we adjust the definition of
expired_tokento cover the situation of the auth_req_id having expired or any other reason that the OP has decided to expire the session. It doesn't actually matter the reason that the session has expired, it just means that the RP should stop waiting for an answer and should potentially start a new flow.I'll open a PR with a suggested change for feedback.
-
-
-
assigned issue to
Dave Tonge
-
assigned issue to
-
Pull Request
#62has an alternative proposed resolution for this, as discussed some in the comments of pull request #57, that adds a new error code to section 12. Push Error Payload.transaction_failed: The OpenID Provider encountered an unexpected condition that prevented it from successfully completing the transaction. This general case error code can be used to inform the Client that the CIBA transaction was unsuccessful for reasons other than those explicitly defined by access_denied and expired_token.
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- CIBA
- Milestone
- CIBA Implementer's Draft
- Votes
- 0
- Watchers
- 0
I mean, when the server gives up authenticating the end-user for some reasons (e.g. because the server found an error in the infrastructure by which the server communicates with the authentication device),
(1) if the
auth_req_idhas not expired yet,expired_tokenis not appropriate as the reason of the error.(2) if the
auth_req_idhas already expired, however, the fact that theauth_req_idhas already expired is not the reason of the error. It is just one of phenomena that were observed when the server gave up authenticating the end-user.In other words, when the server wants to say "I gave up accomplishing end-user authentication",
expired_tokenis not the correct error reason regardless of whether theauth_req_idhas expired or not.(Correct me if I'm missing something.)