Package com.nimbusds.openid.connect.sdk

Class AuthenticationErrorResponse

java.lang.Object
com.nimbusds.oauth2.sdk.AuthorizationResponse
com.nimbusds.oauth2.sdk.AuthorizationErrorResponse
com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse
All Implemented Interfaces:
ErrorResponse, Message, Response, AuthenticationResponse
@Immutable public class AuthenticationErrorResponse extends AuthorizationErrorResponse implements AuthenticationResponse
OpenID Connect authentication error response. Intended only for errors which are allowed to be communicated back to the requesting OAuth 2.0 client, such as access_denied. For a complete list see OAuth 2.0 (RFC 6749), sections 4.1.2.1 and 4.2.2.1, OpenID Connect Core 1.0 section 3.1.2.6.

If the authorisation request fails due to a missing, invalid, or mismatching redirect_uri, or if the client_id is missing or invalid, a response must not be sent back to the requesting client. Instead, the OpenID provider should simply display the error to the end-user.

Standard errors:

Example HTTP response: 

 HTTP/1.1 302 Found
 Location: https://client.example.org/cb?
           error=invalid_request
           &error_description=the%20request%20is%20not%20valid%20or%20malformed
           &state=af0ifjsldkj

Related specifications:

  • OpenID Connect Core 1.0
  • OpenID Connect Core Unmet Authentication Requirements 1.0
  • OAuth 2.0 (RFC 6749)
  • OAuth 2.0 Multiple Response Type Encoding Practices 1.0
  • OAuth 2.0 Form Post Response Mode 1.0
  • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
  • OAuth 2.0 Authorization Server Issuer Identification (RFC 9207)

  • Constructor Details

    • AuthenticationErrorResponse

      public AuthenticationErrorResponse(URI redirectURI, ErrorObject error, State state, ResponseMode rm)
      Creates a new OpenID Connect authentication error response.
      Parameters:
      redirectURI - The base redirection URI. Must not be null.
      error - The error. Should match one of the standard errors for an OpenID Connect authentication error response. Must not be null.
      state - The state, null if not requested.
      rm - The implied response mode, null if unknown.

    • AuthenticationErrorResponse

      public AuthenticationErrorResponse(URI redirectURI, ErrorObject error, State state, Issuer issuer, ResponseMode rm)
      Creates a new OpenID Connect authentication error response.
      Parameters:
      redirectURI - The base redirection URI. Must not be null.
      error - The error. Should match one of the standard errors for an OpenID Connect authentication error response. Must not be null.
      state - The state, null if not requested.
      issuer - The issuer, null if not specified.
      rm - The implied response mode, null if unknown.

    • AuthenticationErrorResponse

      public AuthenticationErrorResponse(URI redirectURI, com.nimbusds.jwt.JWT jwtResponse, ResponseMode rm)
      Creates a new JSON Web Token (JWT) secured OpenID Connect authentication error response.
      Parameters:
      redirectURI - The base redirection URI. Must not be null.
      jwtResponse - The JWT-secured response. Must not be null.
      rm - The implied response mode, null if unknown.

  • Method Details

    • getStandardErrors

      public static Set<ErrorObject> getStandardErrors()
      Gets the standard errors for an OpenID Connect authentication error response.
      Returns:
      The standard errors, as a read-only set.

    • toSuccessResponse

      public AuthenticationSuccessResponse toSuccessResponse()
      Description copied from class: AuthorizationResponse
      Casts this response to an authorisation success response.
      Specified by:
      toSuccessResponse in interface AuthenticationResponse
      Overrides:
      toSuccessResponse in class AuthorizationResponse
      Returns:
      The authorisation success response.

    • toErrorResponse

      public AuthenticationErrorResponse toErrorResponse()
      Description copied from class: AuthorizationResponse
      Casts this response to an authorisation error response.
      Specified by:
      toErrorResponse in interface AuthenticationResponse
      Overrides:
      toErrorResponse in class AuthorizationResponse
      Returns:
      The authorisation error response.

    • parse

      public static AuthenticationErrorResponse parse(URI redirectURI, Map<String,List<String>> params) throws ParseException
      Parses an OpenID Connect authentication error response.
      Parameters:
      redirectURI - The base redirection URI. Must not be null.
      params - The response parameters to parse. Must not be null.
      Returns:
      The OpenID Connect authentication error response.
      Throws:
      ParseException - If the parameters couldn't be parsed to an OpenID Connect authentication error response.

    • parse

      public static AuthenticationErrorResponse parse(URI uri) throws ParseException
      Parses an OpenID Connect authentication error response.

      Use a relative URI if the host, port and path details are not known: 

       URI relUrl = new URI("https:///?error=invalid_request");

      Example URI: 

       https://client.example.com/cb?
 error=invalid_request
 &error_description=the%20request%20is%20not%20valid%20or%20malformed
 &state=af0ifjsldkj
      Parameters:
      uri - The URI to parse. Can be absolute or relative, with a fragment or query string containing the authorisation response parameters. Must not be null.
      Returns:
      The OpenID Connect authentication error response.
      Throws:
      ParseException - If the URI couldn't be parsed to an OpenID Connect authentication error response.

    • parse

      public static AuthenticationErrorResponse parse(HTTPResponse httpResponse) throws ParseException
      Parses an OpenID Connect authentication error response from the specified initial HTTP 302 redirect response generated at the authorisation endpoint.

      Example HTTP response: 

       HTTP/1.1 302 Found
 Location: https://client.example.com/cb?error=invalid_request&state=af0ifjsldkj
      Parameters:
      httpResponse - The HTTP response to parse. Must not be null.
      Returns:
      The OpenID Connect authentication error response.
      Throws:
      ParseException - If the HTTP response couldn't be parsed to an OpenID Connect authentication error response.

    • parse

      public static AuthenticationErrorResponse parse(HTTPRequest httpRequest) throws ParseException
      Parses an OpenID Connect authentication error response from the specified HTTP request at the client redirection (callback) URI. Applies to query, fragment and form_post response modes.

      Example HTTP request (authorisation success): 

       GET /cb?error=invalid_request&state=af0ifjsldkj HTTP/1.1
 Host: client.example.com
      Parameters:
      httpRequest - The HTTP request to parse. Must not be null.
      Returns:
      The authentication error response.
      Throws:
      ParseException - If the HTTP request couldn't be parsed to an OpenID Connect authentication error response.
      See Also: