OpenID Connect Core Unmet Authentication November 2022
Lodderstedt Standards Track [Page]
Status:
Final
Published:
Author:
T. Lodderstedt
yes.com

OpenID Connect Core Error Code unmet_authentication_requirements

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This specification augments OpenID Connect Core 1.0 by defining an additional error code unmet_authentication_requirements to allow the OpenID Provider to signal to the Relying Party it failed to authenticate the End-User according to the requirements of the Relying Party.

Table of Contents

1. Authentication Error Definition

An Authentication Error Response is an OAuth 2.0 [RFC6749] Authorization Error Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP.

In addition to the error codes defined in Section 4.1.2.1 of OAuth 2.0 [RFC6749] and Section 3.1.2.6. of OpenID Connect Core [OpenID.Core], this specification also defines the following error code:

unmet_authentication_requirements
The Authorization Server is unable to meet the requirements of the Relying Party for the authentication of the End-User. This error code SHALL be used if the Relying Party wants the OP to conform to a certain Authentication Context Class Reference value using an essential claim acr claim as specified in Section 5.5.1.1. of OpenID Connect Core [OpenID.Core] and the OP is unable to meet this requirement and MAY be used in other cases, if appropriate.

2. IANA Considerations

2.1. OAuth Extensions Error Registration

This specification registers the following error in the IANA OAuth Extensions Error registry [IANA.OAuth.Parameters] established by RFC 6749 [RFC6749].

2.1.1. Registry Contents

  • Error name: unmet_authentication_requirements
  • Error usage location: Authorization Endpoint
  • Related protocol extension: OpenID Connect
  • Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
  • Specification document(s): Section 1 of this document

3. Normative References

[IANA.OAuth.Parameters]
IANA, "OAuth Parameters", <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml>.
[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", , <http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.

Appendix A. Acknowledgements

The OpenID Community would like to thank the following people for their contributions to this specification:

Appendix B. Notices

Copyright (c) 2022 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Author's Address

Torsten Lodderstedt
yes.com