The resource owner or the authorization server denied the request.

Calling /backchannel/authentication/fail API with this reason implies that the backchannel authentication endpoint is going to return an error of access_denied to the client application without asking the end-user whether she authorizes or rejects the request.

Using this reason will result in "error":"access_denied".

The login_hint_token included in the backchannel authentication request is not valid because it has expired.

Note that the CIBA Core specification does not describe the format of login_hint_token and how to detect expiration.

Using this reason will result in "error":"expired_login_hint_token".

The binding message is invalid or unacceptable for use in the context of the given backchannel authentication request.

Using this reason will result in "error":"invalid_binding_message".

The requested resource is invalid, missing, unknown, or malformed. See "Resource Indicators for OAuth 2.0" for details.

Using this reason will result in "error":"invalid_target".

The user code included in the authentication request is invalid.

Using this reason will result in "error":"invalid_user_code".

A user code is required but the backchannel authentication request does not contain it.

Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION when both the backchannel_user_code_parameter_supported metadata of the server and the backchannel_user_code_parameter metadata of the client are true and the backchannel authentication request does not include the user_code request parameter. In this case, /backchannel/authentication API returns action=BAD_REQUEST with JSON containing "error":"missing_user_code".

Therefore, the authorization server implementation will never have to call /backchannel/authentication/fail API with reason=MISSING_USER_CODE unless the server has intentionally implemented custom rules to require a user code even in the case where the backchannel_user_code_parameter metadata of the client which has made the backchannel authentication request is false.

Using this reason will result in "error":"missing_user_code".

The backchannel authentication request cannot be processed successfully due to a server-side error.

Using this reason will result in "error":"server_error".

The client is not authorized to use the CIBA flow.

Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION in cases where the client does not exist or client authentication has failed. Therefore, the authorization server implementation will never have to call /backchannel/authentication/fail API with reason=UNAUTHORIZED_CLIENT unless the server has intentionally implemented custom rules to reject backchannel authentication requests from particular clients.

Using this reason will result in "error":"unauthorized_client".

The authorization server is not able to identify which end-user the client wishes to be authenticated by means of the hint (login_hint_token, id_token_hint or login_hint) included in the backchannel authentication request.

Using this reason will result in "error":"unknown_user_id".