Package com.nimbusds.openid.connect.sdk

Class AuthenticationErrorResponse

java.lang.Object

com.nimbusds.oauth2.sdk.AuthorizationResponse

com.nimbusds.oauth2.sdk.AuthorizationErrorResponse

com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse

All Implemented Interfaces:

ErrorResponse, Message, Response, AuthenticationResponse

@Immutable
public class AuthenticationErrorResponse
extends AuthorizationErrorResponse
implements AuthenticationResponse

OpenID Connect authentication error response. Intended only for errors which are allowed to be communicated back to the requesting OAuth 2.0 client, such as access_denied. For a complete list see OAuth 2.0 (RFC 6749), sections 4.1.2.1 and 4.2.2.1, OpenID Connect Core 1.0 section 3.1.2.6.

If the authorisation request fails due to a missing, invalid, or mismatching redirect_uri, or if the client_id is missing or invalid, a response must not be sent back to the requesting client. Instead, the OpenID provider should simply display the error to the end-user.

Standard errors:

• OAuth 2.0 authorisation errors:
  • OAuth2Error.INVALID_REQUEST
  • OAuth2Error.UNAUTHORIZED_CLIENT
  • OAuth2Error.ACCESS_DENIED
  • OAuth2Error.UNSUPPORTED_RESPONSE_TYPE
  • OAuth2Error.INVALID_SCOPE
  • OAuth2Error.SERVER_ERROR
  • OAuth2Error.TEMPORARILY_UNAVAILABLE
• OpenID Connect specific errors:
  • OIDCError.INTERACTION_REQUIRED
  • OIDCError.LOGIN_REQUIRED
  • OIDCError.ACCOUNT_SELECTION_REQUIRED
  • OIDCError.CONSENT_REQUIRED
  • OAuth2Error.INVALID_REQUEST_URI
  • OAuth2Error.INVALID_REQUEST_OBJECT
  • OIDCError.REGISTRATION_NOT_SUPPORTED
  • OAuth2Error.REQUEST_NOT_SUPPORTED
  • OAuth2Error.REQUEST_URI_NOT_SUPPORTED

Example HTTP response:

 HTTP/1.1 302 Found
 Location: https://client.example.org/cb?
           error=invalid_request
           &error_description=the%20request%20is%20not%20valid%20or%20malformed
           &state=af0ifjsldkj
 

Related specifications:

• OpenID Connect Core 1.0, section 3.1.2.6.
• OpenID Connect Core Unmet Authentication Requirements 1.0.
• OAuth 2.0 (RFC 6749), sections 4.1.2.1 and 4.2.2.1.
• OAuth 2.0 Multiple Response Type Encoding Practices 1.0.
• OAuth 2.0 Form Post Response Mode 1.0.
• Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).

Constructor Summary

Constructors

Constructor	Description
AuthenticationErrorResponse(URI redirectURI, com.nimbusds.jwt.JWT jwtResponse, ResponseMode rm)	Creates a new JSON Web Token (JWT) secured OpenID Connect authentication error response.
AuthenticationErrorResponse(URI redirectURI, ErrorObject error, State state, ResponseMode rm)	Creates a new OpenID Connect authentication error response.

Method Summary

Modifier and Type	Method	Description
static Set<ErrorObject>	getStandardErrors()	Gets the standard errors for an OpenID Connect authentication error response.
static AuthenticationErrorResponse	parse(HTTPRequest httpRequest)	Parses an OpenID Connect authentication error response from the specified HTTP request at the client redirection (callback) URI.
static AuthenticationErrorResponse	parse(HTTPResponse httpResponse)	Parses an OpenID Connect authentication error response from the specified initial HTTP 302 redirect response generated at the authorisation endpoint.
static AuthenticationErrorResponse	parse(URI uri)	Parses an OpenID Connect authentication error response.
static AuthenticationErrorResponse	parse(URI redirectURI, Map<String,List<String>> params)	Parses an OpenID Connect authentication error response.
AuthenticationErrorResponse	toErrorResponse()	Casts this response to an authorisation error response.
AuthenticationSuccessResponse	toSuccessResponse()	Casts this response to an authorisation success response.

Methods inherited from class com.nimbusds.oauth2.sdk.AuthorizationErrorResponse

getErrorObject, impliedResponseMode, indicatesSuccess, toParameters

Methods inherited from class com.nimbusds.oauth2.sdk.AuthorizationResponse

getJWTResponse, getRedirectionURI, getResponseMode, getState, parse, parse, parse, parse, parseResponseParameters, parseResponseParameters, toHTTPRequest, toHTTPResponse, toURI

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.openid.connect.sdk.AuthenticationResponse

getRedirectionURI, getState

Methods inherited from interface com.nimbusds.oauth2.sdk.Response

indicatesSuccess, toHTTPResponse

Constructor Detail

AuthenticationErrorResponse

public AuthenticationErrorResponse(URI redirectURI,
                                   ErrorObject error,
                                   State state,
                                   ResponseMode rm)

Creates a new OpenID Connect authentication error response.

Parameters:

redirectURI - The base redirection URI. Must not be null.

error - The error. Should match one of the standard errors for an OpenID Connect authentication error response. Must not be null.

state - The state, null if not requested.

rm - The implied response mode, null if unknown.

AuthenticationErrorResponse

public AuthenticationErrorResponse(URI redirectURI,
                                   com.nimbusds.jwt.JWT jwtResponse,
                                   ResponseMode rm)

Creates a new JSON Web Token (JWT) secured OpenID Connect authentication error response.

Parameters:

redirectURI - The base redirection URI. Must not be null.

jwtResponse - The JWT-secured response. Must not be null.

rm - The implied response mode, null if unknown.

Method Detail

getStandardErrors

public static Set<ErrorObject> getStandardErrors()

Gets the standard errors for an OpenID Connect authentication error response.

Returns:

The standard errors, as a read-only set.

toSuccessResponse

public AuthenticationSuccessResponse toSuccessResponse()

Description copied from class: AuthorizationResponse

Casts this response to an authorisation success response.

Specified by:

toSuccessResponse in interface AuthenticationResponse

Overrides:

toSuccessResponse in class AuthorizationResponse

Returns:

The authorisation success response.

toErrorResponse

public AuthenticationErrorResponse toErrorResponse()

Description copied from class: AuthorizationResponse

Casts this response to an authorisation error response.

Specified by:

toErrorResponse in interface AuthenticationResponse

Overrides:

toErrorResponse in class AuthorizationResponse

Returns:

The authorisation error response.

parse

public static AuthenticationErrorResponse parse(URI redirectURI,
                                                Map<String,List<String>> params)
                                         throws ParseException

Parses an OpenID Connect authentication error response.

Parameters:

redirectURI - The base redirection URI. Must not be null.

params - The response parameters to parse. Must not be null.

Returns:

The OpenID Connect authentication error response.

Throws:

ParseException - If the parameters couldn't be parsed to an OpenID Connect authentication error response.

parse

public static AuthenticationErrorResponse parse(URI uri)
                                         throws ParseException

Parses an OpenID Connect authentication error response.

Use a relative URI if the host, port and path details are not known:

 URI relUrl = new URI("https:///?error=invalid_request");
 

Example URI:

 https://client.example.com/cb?
 error=invalid_request
 &error_description=the%20request%20is%20not%20valid%20or%20malformed
 &state=af0ifjsldkj
 

Parameters:

uri - The URI to parse. Can be absolute or relative, with a fragment or query string containing the authorisation response parameters. Must not be null.

Returns:

The OpenID Connect authentication error response.

Throws:

ParseException - If the URI couldn't be parsed to an OpenID Connect authentication error response.

parse

public static AuthenticationErrorResponse parse(HTTPResponse httpResponse)
                                         throws ParseException

Parses an OpenID Connect authentication error response from the specified initial HTTP 302 redirect response generated at the authorisation endpoint.

Example HTTP response:

 HTTP/1.1 302 Found
 Location: https://client.example.com/cb?error=invalid_request&state=af0ifjsldkj
 

Parameters:

httpResponse - The HTTP response to parse. Must not be null.

Returns:

The OpenID Connect authentication error response.

Throws:

ParseException - If the HTTP response couldn't be parsed to an OpenID Connect authentication error response.

parse

public static AuthenticationErrorResponse parse(HTTPRequest httpRequest)
                                         throws ParseException

Parses an OpenID Connect authentication error response from the specified HTTP request at the client redirection (callback) URI. Applies to query, fragment and form_post response modes.

Example HTTP request (authorisation success):

 GET /cb?error=invalid_request&state=af0ifjsldkj HTTP/1.1
 Host: client.example.com
 

Parameters:

httpRequest - The HTTP request to parse. Must not be null.

Returns:

The authentication error response.

Throws:

ParseException - If the HTTP request couldn't be parsed to an OpenID Connect authentication error response.

See Also:

parse(HTTPResponse)