Error information and error_description - tid-aex

TrivoreID can provide authentication error information to external services when, for example, someone is executing a strong identification. This information is delivered in URL query parameters error and error_description to the service making the request. These parameters are added to the failureRedirectUri received from the request or redirect_uri in case of OpenID Connect based login.

Relevant endpoints that use these parameters are in table below.

URL	Description

URL	Description
`https://<hostname>/openid/auth`	OpenID Connect based authentication URL. Parameters are added to the `redirect_uri`.
`https://<hostname>/openid/link-account`	Link account service which allows users to link their accounts with another account from available user directories. Parameters are added to the `failureRedirectUri`.
`https://<hostname>/openid/strongidentification`	(Obsolete) strong identification service which allows user to perform strong identification. Parameters are added to the `failureRedirectUri`.
Strong identification URL	Temporary strong identification URL received from https://trivore.atlassian.net/wiki/spaces/TISpubdoc/pages/20515376

Please note that list of error codes documented here is not exhaustive. For example, when linking account with OpenID based user directory, any possible error and error_description values received from this external service are relayed as-is. If you need exhaustive listing of error codes, you need to also consult the documentation of any possible user directories your users will be using.

For configuring user directories, see https://trivore.atlassian.net/wiki/spaces/TISpubdoc/pages/881459205

The error_description parameter may, in some cases, also contain detailed authentication error code (in addition to humanized error message), such as TID-AEX-XXXX. For exhaustive list of these authentication error codes, see https://trivore.atlassian.net/wiki/spaces/TISpubdoc/pages/883687434 . If you want to remove this authentication error code from error_description parameter, you can use this regular expression to do that: \s*\(TID-AEX-[0-9]{4}\). Example code Java below.

public void doGet(HttpServletRequest request, HttpServletResponse response) {
  String errorDescription = request.getParameter("error_description");
  errorDescription = errorDescription.replaceAll("\\s*\\(TID-AEX-[0-9]{4}\\)", "");
}

Example error_description value is You are unable to sign-in! (TID-AEX-1030)

Any error code values documented below may appear as value in error parameter.

From where does abbreviation TID-AEX come from?

It is simply TrivoreID Authentication EXeption. Number after it gives the clue on the occurred exception, or error code. This error code is an OpenID Connect required parameter. Our prefix for it is “TID-AEX”.

General error codes

General error codes are common for all services.

Error	Description

Error	Description
`invalid_token`	Provided `access_token` or `id_token` is invalid or other internal token handling failure.
`invalid_config`	Invalid configuration prevents authentication.
`no_such_directory`	Requested user directory is not available or other internal directory handling failure.
`internal_error`	Internal server error
`auth_fail`	Authentication failed.
`user_conflict`	Conflicting user information which prevents saving user to database. Usually caused by some unique requirements.
`invalid_request`	Invalid request, check your parameters.
`user_cancel`	User cancelled authentication. Note that `access_denied` also usually indicates user cancelling the authentication. The choice between these two parameters depends on the service you are using.
`user_disabled`	User has been disabled.
`user_expired`	User validity time has been exceeded.
`user_locked`	User has been locked.

Strong identitification error codes

These error codes only appear when using strong identification service.

Error	Description

Error	Description
`strongid_not_available`	No strong identification capable user directory configured in user’s namespace.
`personal_id_conflict`	Personal identity code conflict. User already has personal identity code but tries to strong identify with different personal identity code and namespace settings do not allow this.

OpenID Connect error codes

These error codes only appear when performing OpenID Connect authentication (whether using the services own provider or external OpenID Connect based user directory ). Please note that error codes from external user directories are relayed as-is and therefore this listing is not exhaustive.

Error	Description

Error	Description
`missing_code`	No authorization code received
`metadata_fail`	Failed to fetch metadata
`access_denied`	Access denied, usually indicates that user cancelled authentication.

In addition to these error codes, any standardized error codes may be used. For list of those, see following links.

The Authorization Response (OAuth 2)
Authentication Error Response (OpenID Connect)