You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The spec mentions that implementers should define their own error codes for specific challenges, and Appendix B.2. Gives an example of using the `otp_required' error code.
However, the spec also defines insufficient_authorization as:
The presented authorization is insufficient, and the authorization server is requesting the client take additional steps to complete the authorization.
Asking the client to supply a OTP code feels like an 'additional step'. Am I misunderstanding insufficient_authorization?
I'm also curious about the scenario where a user might take one of several possible steps to fulfill a challenge. For example, after providing a username and password a dialog may be presented where the user can choose either 'sending a code via email', 'sending a code via sms' or providing a TOTP code.
The text was updated successfully, but these errors were encountered:
The spec mentions that implementers should define their own error codes for specific challenges, and Appendix B.2. Gives an example of using the `otp_required' error code.
However, the spec also defines
insufficient_authorizationas:Asking the client to supply a OTP code feels like an 'additional step'. Am I misunderstanding
insufficient_authorization?I'm also curious about the scenario where a user might take one of several possible steps to fulfill a challenge. For example, after providing a username and password a dialog may be presented where the user can choose either 'sending a code via email', 'sending a code via sms' or providing a TOTP code.
The text was updated successfully, but these errors were encountered: