oauth2.dev

insufficient_user_authentication

IETF

Registry Context

An error code used in `WWW-Authenticate` challenges when the authentication event associated with the presented access token does not meet the protected resource's authentication requirements.

Technical Summary

`insufficient_user_authentication` is an error code for Bearer and other OAuth authentication-scheme challenges that use the same error parameter. It indicates that the authentication event associated with the presented access token does not satisfy the protected resource's authentication requirements.

When Used

Used when a resource server determines that the authentication event associated with the presented access token does not meet the protected resource's authentication requirements.

Normative Requirements

Resource servers

MAY
2
  1. RFC 9470 - Section 3

    Include both `max_age` and `acr_values` in the same challenge..

    Condition: When it needs to express requirements about both authentication recency and authentication level.

    The auth-params max_age and acr_values MAY both occur in the same challenge

  2. RFC 9470 - Section 3

    Include the `scope` attribute with the value necessary to access the protected resource..

    Condition: When the request also lacks the scopes required by the requested resource.

    it MAY include the scope attribute with the value necessary to access the protected resource

Challenges

SHOULD
1
  1. RFC 9470 - Section 4

    Parse the `WWW-Authenticate` header for `acr_values` and `max_age` and use them, if present, when constructing an authorization request..

    Condition: When the challenge carries `error="insufficient_user_authentication"`.

    SHOULD parse the WWW-Authenticate header for acr_values and max_age and use them, if present

Validation Guidance

warning

Verify that client logic handling `error="insufficient_user_authentication"` reads `acr_values` and `max_age` from the `WWW-Authenticate` challenge and includes them in the follow-up authorization request when present.

error

If a challenge includes `max_age`, verify that its value represents a non-negative integer.

Reference

Details

Entry Id
insufficient_user_authentication
Name
insufficient_user_authentication
Usage Location
resource access error response
Protocol Extension
OAuth 2.0 Step Up Authentication Challenge Protocol
Change Controller
IETF
Reference
RFC9470 - Section 3