OAuthError

Errors are either returned in a JSON response body, or as redirect parameters depending on expected response type.

JSON Response#

When an error is returned from an OAuth endpoint as a JSON body the following structure can be expected in the response. The change_password_id field will only be present on the response if a password change is required.

Example JSON Response

{
  "change_password_id": "a65f7ac3-e4ce-4bf6-bbb0-576189c4d965",
  "error": "change_password_required",
  "error_description": "The user is required to change their password.",
  "error_reason": "change_password_breached"
}

Redirect Parameters#

When an error is returned from an OAuth endpoint as a redirect, the errors are put on the redirect as query parameters.

Example HTTP Redirect

HTTP/1.1 302 Found
Location: https://piedpiper.com/callback?
           error=unsupported_response_type
           &error_reason=invalid_response_type
           &error_description=Parameter+response_type+must+be+set+to+code+or+token.
           &state=bEF7UItzlhNvE31Rf0_axShomu_vU30tMeJcqMZ9LfA0

Error Fields#

Regardless of the way the error is returned to you, the field definitions are the same. Each possible value error and error_reason is documented below.

Error Parameters#

errorString

The OAuth error response type. In most cases these values are defined or suggested by an RFC or other specification.

The possible values are:

  • access_denied
  • authorization_pending
  • change_password_required
  • consent_required
  • expired_token
  • interaction_required
  • invalid_client
  • invalid_dpop_proof
  • invalid_grant
  • invalid_request
  • invalid_scope
  • invalid_target
  • invalid_token
  • login_required
  • not_licensed
  • server_error
  • two_factor_required
  • unauthorized_client
  • unsupported_grant_type
  • unsupported_response_type
  • unsupported_token_type
error_descriptionString

The human-readable OAuth error description. This description should describe the error condition and it may contain a parameter value that caused the error.

error_reasonString

The OAuth error reason. These reason codes are defined by FusionAuth to provide you a specific reason code so that you may identify the specific reason the request failed. The defined error codes as defined by OAuth2 or OpenID Connect only provide general indications such as an invalid request that may be caused by more than one parameter. Each of the values returned in this field will represent a specific error.

The possible values are:

  • access_token_expired
  • access_token_failed_processing
  • access_token_invalid
  • access_token_malformed
  • access_token_required
  • access_token_unavailable_for_processing
  • auth_code_not_found
  • authentication_required
  • change_password_administrative
  • change_password_breached
  • change_password_expired
  • change_password_validation
  • client_authentication_missing
  • client_id_mismatch
  • consent_canceled
  • consent_required
  • email_verification_required
  • grant_type_disabled
  • invalid_additional_client_id
  • invalid_client_authentication
  • invalid_client_authentication_scheme
  • invalid_client_id
  • invalid_device_code
  • invalid_entity_permission_scope
  • invalid_expires_in
  • invalid_grant_type
  • invalid_id_token_hint
  • invalid_origin
  • invalid_origin_opaque
  • invalid_pkce_code_challenge
  • invalid_pkce_code_challenge_method
  • invalid_pkce_code_verifier
  • invalid_post_logout_redirect_uri
  • invalid_prompt
  • invalid_redirect_uri
  • invalid_response_mode
  • invalid_response_type
  • invalid_target_entity_scope
  • invalid_tenant_id
  • invalid_user_code
  • invalid_user_credentials
  • invalid_user_id
  • login_prevented
  • missing_client_id
  • missing_client_secret
  • missing_code
  • missing_code_challenge
  • missing_code_verifier
  • missing_device_code
  • missing_grant_type
  • missing_redirect_uri
  • missing_refresh_token
  • missing_required_scope
  • missing_response_type
  • missing_tenant_id
  • missing_token
  • missing_user_code
  • missing_user_id
  • missing_verification_uri
  • multi_factor_challenge_required
  • not_licensed
  • phone_verification_required
  • refresh_token_not_found
  • refresh_token_type_not_supported
  • registration_missing_requirement
  • registration_required
  • registration_verification_required
  • unknown
  • unknown_scope
  • user_code_expired
  • user_expired
  • user_locked
  • user_not_found
stateString

The state that was provided on the Authorization request. This parameter is only returned during an HTTP redirect if it was provided on the initial request.