Fail Authorization Request - Authlete Documentation

Full description

This API is supposed to be called from within the implementation of the authorization endpoint of the service in order to generate an error response to the client application. The description of the /auth/authorization API describes the timing when this API should be called. The response from /auth/authorization/fail API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error”. Authlete recommends application/json as the content type. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

The endpoint implementation may return another different response to the client application since “500 Internal Server Error” is not required by OAuth 2.0.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the ticket is no longer valid (deleted or expired) and that the reason of the invalidity was probably due to the end-user’s too-delayed response to the authorization UI. A response with HTTP status of “400 Bad Request” should be returned to the client application and Authlete recommends application/json as the content type. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

The endpoint implementation may return another different response to the client application since “400 Bad Request” is not required by OAuth 2.0.

LOCATION

When the value of action is LOCATION, it means that the response to the client application must be “302 Found” with Location header. The parameter responseContent contains a redirect URI with (1) an authorization code, an ID token and/or an access token (on success) or (2) an error code (on failure), so it can be used as the value of Location header.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 302 Found
Location: &#123;responseContent&#125;
Cache-Control: no-store
Pragma: no-cache

FORM

When the value of action is FORM, it means that the response to the client application must be 200 OK with an HTML which triggers redirection by JavaScript. This happens when the authorization request from the client application contained response_mode=form_post. The value of responseContent is an HTML which can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

Authorizations

Authorization

string

header

required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId

string

required

A service ID.

Body

ticket

string

required

The ticket issued from Authlete /auth/authorization API.

reason

enum<string>

required

The reason of the failure of the authorization request. For more details, see [NO_INTERACTION] in the description of /auth/authorization API.

Available options:

UNKNOWN,

NOT_LOGGED_IN,

MAX_AGE_NOT_SUPPORTED,

EXCEEDS_MAX_AGE,

DIFFERENT_SUBJECT,

ACR_NOT_SATISFIED,

DENIED,

SERVER_ERROR,

NOT_AUTHENTICATED,

ACCOUNT_SELECTION_REQUIRED,

CONSENT_REQUIRED,

INTERACTION_REQUIRED,

INVALID_TARGET

description

string

The custom description about the authorization failure.

Response

resultCode

string

The code which represents the result of the API call.

resultMessage

string

A short message which explains the result of the API call.

action

enum<string>

The next action that the authorization server implementation should take.

Available options:

INTERNAL_SERVER_ERROR,

BAD_REQUEST,

LOCATION,

FORM

responseContent

string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

Authlete

​INTERNAL_SERVER_ERROR

​BAD_REQUEST

​LOCATION

​FORM

Authorizations

Path Parameters

Body

Response

INTERNAL_SERVER_ERROR

BAD_REQUEST

LOCATION

FORM