OpenID Connect Core Unmet Authentication | June 2019 | |
Lodderstedt | Standards Track | [Page] |
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.¶
This specification augments OpenID Connect Core 1.0 by defining an additional
error code unmet_authentication_requirements
to allow the
OpenID Provider to signal to the Relying Party it failed to authenticate
the End-User according to the requirements of the Relying Party.¶
An Authentication Error Response is an OAuth 2.0 [RFC6749] Authorization Error Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP.¶
In addition to the error codes defined in Section 4.1.2.1 of OAuth 2.0 [RFC6749] and Section 3.1.2.6. of OpenID Connect Core [OpenID.Core], this specification also defines the following error code:¶
acr
claim as specified in
Section 5.5.1.1.
of OpenID Connect Core [OpenID.Core] and the OP is
unable to meet this requirement and MAY be used in other cases, if appropriate.¶
This specification registers the following error in the IANA OAuth Extensions Error registry [IANA.OAuth.Parameters] established by RFC 6749 [RFC6749].¶
The OpenID Community would like to thank the following people for their contributions to this specification:¶
Copyright (c) 2019 The OpenID Foundation.¶
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.¶
[[ To be removed from the approved specification ]]¶
-01¶
-00¶
first version¶