insufficient_ user_ authentication
Registry Context
An error code used in `WWW-Authenticate` challenges when the authentication event associated with the presented access token does not meet the protected resource's authentication requirements.
Technical Summary
`insufficient_user_authentication` is an error code for Bearer and other OAuth authentication-scheme challenges that use the same error parameter. It indicates that the authentication event associated with the presented access token does not satisfy the protected resource's authentication requirements.
When Used
Used when a resource server determines that the authentication event associated with the presented access token does not meet the protected resource's authentication requirements.
Normative Requirements
Resource servers
RFC 9470 - Section 3
Include both `max_age` and `acr_values` in the same challenge..
Condition: When it needs to express requirements about both authentication recency and authentication level.
The auth-params max_age and acr_values MAY both occur in the same challenge
RFC 9470 - Section 3
Include the `scope` attribute with the value necessary to access the protected resource..
Condition: When the request also lacks the scopes required by the requested resource.
it MAY include the scope attribute with the value necessary to access the protected resource
Challenges
RFC 9470 - Section 4
Parse the `WWW-Authenticate` header for `acr_values` and `max_age` and use them, if present, when constructing an authorization request..
Condition: When the challenge carries `error="insufficient_user_authentication"`.
SHOULD parse the WWW-Authenticate header for acr_values and max_age and use them, if present
Validation Guidance
Verify that client logic handling `error="insufficient_user_authentication"` reads `acr_values` and `max_age` from the `WWW-Authenticate` challenge and includes them in the follow-up authorization request when present.
If a challenge includes `max_age`, verify that its value represents a non-negative integer.
Reference
Details
- Entry Id
insufficient_user_ authentication - Name
insufficient_user_ authentication - Usage Location
resource access error response- Protocol Extension
OAuth 2.0 Step Up Authentication Challenge Protocol- Change Controller
IETF- Reference
RFC9470 - Section 3