Redirect Error Codes to your Application
IDW Gateway Error handling
When performing a user verification transaction via Gateway, Iddataweb's
AXN application will handle the browser interaction steps via
/authorize, /token and /userinfo endpoints. In the event that the AXN
encounters an error, it will:
-
By default, the AXN will display an error description with
information about what went wrong within our own UI.
-
If the service is configured to redirect on error, the frontend will
redirect to the preconfigured callback URL with an error code
(error) and error description (error_description) matching OIDC
spec as below. To enable this feature, please speak to your
solution architect.
Gateway redirect Error Codes
In the Gateway use case, we use either SAML or OIDC spec to authenticate
with the correct IDP and then return results. For SP initiated OIDC, IDW
adheres to both the OpenID Connect (OIDC) error handling specification
and the OAuth error handling compliance standards.
Example redirect:
HTTP/1.1 302 Found
Location: <https://client.example.org/>?
error=invalid_request
&error_description=
missing%20parameter%20in%20request%20asi%208df82ee6-2cf1-4559-a0e7-82d7736dbbe3
-
"error" Is the standardized error code, as listed in the table
below.
-
"error_description" This field provides detailed information
about what went wrong, and potential remedies. asi or
reference_id is attached at the end of the description as a
reference for further troubleshooting. (Note: The error
description list below is only a set of common examples and is not
a complete list)
Spec | Endpoint | Error Code | Meaning | Error Causes and Descriptions |
---|---|---|---|---|
OIDC | /authorize | invalid_request_uri | The request_uri in the Authorization Request returns an error or contains invalid data. | • Invalid redirect URI (No redirect - We will display error page) |
OIDC | /authorize | invalid_request_object | The request parameter contains an invalid Request object. | • Invalid token in request (No redirect - token endpoint only) |
OIDC | /userinfo | invalid_token | The request tried to use an invalid OIDC token | • The access token is not valid. (No redirect - userinfo endpoint only) |
OAuth 2.0 | /authorize | invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. | • Missing parameter in request |
OAuth 2.0 | /authorize | unauthorized_client | The client is not authorized to request an authorization code using this method. | • Client ID is invalid, we cannot redirect - User will see error page |
OAuth 2.0 | /authorize | invalid_scope | The requested scope is invalid, unknown, or malformed. | • IDP not configured or wrong idp used in the URL - error_description=Missing scope - missing idp configuration |
OAuth 2.0 | /authorize | server_error | The authorization server encountered an unexpected condition that prevented it from fulfilling the request. | • JWT not valid/incomplete returns a description - “JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted” |
IDW | /authorize | invalid_login_hint | The login hint value was not valid. | • login_hint supports 3 methods (unencrypted, signed or secured), using these incorrectly will cause an error |
Consult Section
[3.1.2.6]{.underline}
of OpenID Connect Core 1.0 specification and section
[4.1.2.1]{.underline}
of The OAuth 2.0 Authorization Framework.
Updated 7 days ago