Error information and error description - tid-aex
TrivoreID can provide authentication error information to external
services when, for example, someone is executing a strong
identification. This information is delivered in URL query parameters
error and error_description to the service making the request. These
parameters are added to the failureRedirectUri received from the
request or redirect_uri in case of OpenID Connect based login.
Relevant endpoints that use these parameters are in table below.
| URL | Description |
|---|---|
https://<hostname>/openid/auth | OpenID Connect based authentication URL. Parameters are added to the redirect_uri. |
https://<hostname>/openid/link-account | Link account service which allows users to link their accounts with another account from available user directories. Parameters are added to the failureRedirectUri. |
https://<hostname>/openid/strongidentification | (Obsolete) strong identification service which allows user to perform strong identification. Parameters are added to the failureRedirectUri. |
| Strong identification URL | Temporary strong identification URL received from Initiating interactive strong identification (suomi.fi tunnistus) |
Please note that list of error codes documented here is not exhaustive.
For example, when linking account with OpenID based user directory, any
possible error and error_description values received from this
external service are relayed as-is. If you need exhaustive listing of
error codes, you need to also consult the documentation of any possible
user directories your users will be using.
For configuring user directories, see User directories (external sign-in)
The error_description parameter may, in some cases, also contain
detailed authentication error code (in addition to humanized error
message), such as TID-AEX-XXXX. For exhaustive list of these
authentication error codes, see Authentication Error Codes . If you want to
remove this authentication error code from error_description
parameter, you can use this regular expression to do that:
\s*\(TID-AEX-[0-9]{4}\). Example code Java below.
public void doGet(HttpServletRequest request, HttpServletResponse response) {
String errorDescription = request.getParameter("error_description");
errorDescription = errorDescription.replaceAll("\\s*\\(TID-AEX-[0-9]{4}\\)", "");
}
Example error_description value is
You are unable to sign-in! (TID-AEX-1030)
Any error code values documented below may appear as value in error
parameter.
General error codes
General error codes are common for all services.
| Error | Description |
|---|---|
invalid_token | Provided access_token or id_token is invalid or other internal token handling failure. |
invalid_config | Invalid configuration prevents authentication. |
no_such_directory | Requested user directory is not available or other internal directory handling failure. |
internal_error | Internal server error |
auth_fail | Authentication failed. |
user_conflict | Conflicting user information which prevents saving user to database. Usually caused by some unique requirements. |
invalid_request | Invalid request, check your parameters. |
user_cancel | User cancelled authentication. Note that access_denied also usually indicates user cancelling the authentication. The choice between these two parameters depends on the service you are using. |
user_disabled | User has been disabled. |
user_expired | User validity time has been exceeded. |
user_locked | User has been locked. |
Strong identification error codes
These error codes only appear when using strong identification service.
| Error | Description |
|---|---|
strongid_not_available | No strong identification capable user directory configured in user’s namespace. |
personal_id_conflict | Personal identity code conflict. User already has personal identity code but tries to strong identify with different personal identity code and namespace settings do not allow this. |
OpenID Connect error codes
These error codes only appear when performing OpenID Connect authentication (whether using the services own provider or external OpenID Connect based user directory ). Please note that error codes from external user directories are relayed as-is and therefore this listing is not exhaustive.
| Error | Description |
|---|---|
missing_code | No authorization code received |
metadata_fail | Failed to fetch metadata |
access_denied | Access denied, usually indicates that user cancelled authentication. |
In addition to these error codes, any standardized error codes may be used. For list of those, see following links.
- The Authorization Response (OAuth 2)
- Authentication Error Response (OpenID Connect)