T. Lodderstedt YES May 08, 2019 OpenID Connect Core Error Code unmet_authentication_requirements openid-connect-core-unmet-authentication-requirements-1_0 Abstract OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. This specification augments OpenID Connect Core 1.0 by defining an additional error code "unmet_authentication_requirements" to allow the OpenID Provider to signal to the Relying Party it failed to authenticate the End-User according to the requirements of the Relying Party. Table of Contents 1. Authentication Error Definition . . . . . . . . . . . . . . . 1 2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 2 2.1. OAuth Extensions Error Registration . . . . . . . . . . . 2 2.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 2 3. Normative References . . . . . . . . . . . . . . . . . . . . 2 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 2 Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 3 Appendix C. Document History . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Authentication Error Definition An Authentication Error Response is an OAuth 2.0 Authorization Error Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP. In addition to the error codes defined in Section 4.1.2.1 of OAuth 2.0 [RFC6749] and Section 3.1.2.6. of OpenID Connect Core [OpenID.Core], this specification also defines the following error code: unmet_authentication_requirements The Authorization Server is unable to meet the requirements imposed by the Relying Party regarding the authentication of the Lodderstedt Expires November 9, 2019 [Page 1] OpenID Connect Core Unmet Authentication Requirements 1.0ay 2019 End-User. This error code SHALL be used if the Relying Party wants the OP to conform to a certain Authentication Context Class Reference value using an essential claim "acr" claim as specified in Section 5.5.1.1. of OpenID Connect Core [OpenID.Core] and the OP is unable to meet this requirement and MAY be used in other cases if appropriate. 2. IANA Considerations 2.1. OAuth Extensions Error Registration This specification registers the following error in the IANA OAuth Extensions Error registry [IANA.OAuth.Parameters] established by RFC 6749 [RFC6749]. 2.1.1. Registry Contents o Error name: "unmet_authentication_requirements" o Error usage location: Authorization Endpoint o Related protocol extension: OpenID Connect o Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net o Specification document(s): Section 1 of this document 3. Normative References [IANA.OAuth.Parameters] IANA, "OAuth Parameters", . [OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", April 2017, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . Appendix A. Acknowledgements The OpenID Community would like to thank the following people for their contributions to this specification: Nat Sakimura Phil Hunt George Fletcher Vladimir Dzhuvinov Lodderstedt Expires November 9, 2019 [Page 2] OpenID Connect Core Unmet Authentication Requirements 1.0ay 2019 Mike Jones Appendix B. Notices Copyright (c) 2019 The OpenID Foundation. The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non- infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification. Appendix C. Document History [[ To be removed from the approved errata ]] -01 o changed error name to unmet_authentication_requirements -00 Lodderstedt Expires November 9, 2019 [Page 3] OpenID Connect Core Unmet Authentication Requirements 1.0ay 2019 o first version Author's Address Torsten Lodderstedt yes.com Email: torsten@lodderstedt.net Lodderstedt Expires November 9, 2019 [Page 4]