The authorization server cannot obtain an account selection choice made by the end-user.

Using this reason will result in error=account_selection_required.

The authorization request from the client application contained acr claim in claims request parameter and the claim was marked as essential, but the ACR performed for the end-user does not match any one of the requested ACRs.

Using this reason will result in error=login_required.

The authorization server cannot obtain consent from the end-user.

Using this reason will result in error=consent_required.

The end-user denied the authorization request from the client application.

Using this reason will result in error=access_denied.

The authorization request from the client application requested a specific value for sub claim, but the current end-user (in the case of prompt=none) or the end-user after the authentication is different from the specified value.

Using this reason will result in error=login_required.

The authorization request from the client application contained prompt=none, but the time specified by max_age request parameter or by default_max_age configuration parameter has passed since the time at which the end-user logged in.

See OpenID Connect Core 1.0, 3.1.2.1. Authentication Request for prompt and max_age request parameters.

See OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata for default_max_age configuration parameter.

Using this reason will result in error=login_required.

The authorization server needs interaction with the end-user.

Using this reason will result in error=interaction_required.

The requested resource is invalid, missing, unknown, or malformed. See "Resource Indicators for OAuth 2.0" for details.

Using this reason will result in error=invalid_target.

The authorization request from the client application contained max_age parameter with a non-zero value or the client's configuration has a non-zero value for default_max_age configuration parameter, but the service implementation cannot behave properly based on the max age value mainly because the service implementation does not manage authentication time of end-users.

See OpenID Connect Core 1.0, 3.1.2.1. Authentication Request for max_age request parameter.

See OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata for default_max_age configuration parameter.

Using this reason will result in error=login_required.

The end-user was not authenticated.

Using this reason will result in error=login_required.

The authorization request from the client application contained prompt=none, but any end-user has not logged in.

See OpenID Connect Core 1.0, 3.1.2.1. Authentication Request for prompt request parameter.

Using this reason will result in error=login_required.

Server error.

Using this reason will result in error=server_error.

Unknown reason.

Using this reason will result in error=server_error.