import { BackchannelAuthenticationFailRequest } from "https://deno.land/x/authlete_deno@v1.2.9/mod.ts";
const { Reason } = BackchannelAuthenticationFailRequest;
Failure reasons of authorization requests.
Members
The resource owner or the authorization server denied the request.
Calling /backchannel/authentication/fail
API with this reason
implies that the backchannel authentication endpoint is going
to return an error of access_denied
to the client application
without asking the end-user whether she authorizes or rejects
the request.
Using this reason will result in "error":"access_denied"
.
The login_hint_token
included in the backchannel authentication
request is not valid because it has expired.
Note that the CIBA Core specification does not describe the
format of login_hint_token
and how to detect expiration.
Using this reason will result in "error":"expired_login_hint_token"
.
The binding message is invalid or unacceptable for use in the context of the given backchannel authentication request.
Using this reason will result in "error":"invalid_binding_message"
.
The requested resource is invalid, missing, unknown, or malformed. See "Resource Indicators for OAuth 2.0" for details.
Using this reason will result in "error":"invalid_target"
.
The user code included in the authentication request is invalid.
Using this reason will result in "error":"invalid_user_code"
.
A user code is required but the backchannel authentication request does not contain it.
Note that /backchannel/authentication
API does not
return action=USER_IDENTIFICATION
when both the backchannel_user_code_parameter_supported
metadata of the server and the backchannel_user_code_parameter
metadata of the client are true
and the backchannel authentication
request does not include the user_code
request parameter.
In this case, /backchannel/authentication
API returns
action=BAD_REQUEST
with JSON containing "error":"missing_user_code"
.
Therefore, the authorization server implementation will never
have to call /backchannel/authentication/fail
API with
reason=MISSING_USER_CODE
unless the server has intentionally
implemented custom rules to require a user code even in the case
where the backchannel_user_code_parameter
metadata of the
client which has made the backchannel authentication request is
false
.
Using this reason will result in "error":"missing_user_code"
.
The backchannel authentication request cannot be processed successfully due to a server-side error.
Using this reason will result in "error":"server_error"
.
The client is not authorized to use the CIBA flow.
Note that /backchannel/authentication
API does not return
action=USER_IDENTIFICATION
in cases where the client does
not exist or client authentication has failed. Therefore, the
authorization server implementation will never have to call
/backchannel/authentication/fail
API with reason=UNAUTHORIZED_CLIENT
unless the server has intentionally implemented custom rules
to reject backchannel authentication requests from particular
clients.
Using this reason will result in "error":"unauthorized_client"
.