If the redirect URI parameter is missing, or the redirect URI does not match one of the registered redirect URLs for the application, Akoya will not redirect the user back to your application (as this would leave your application vulnerable to an open redirector attack). Instead, Akoya will display an error to the user, similar to the image below.
Errors returned in browser
Example
Example of browser displaying "Bad Request"
| HTTP Code/Error | Error Description | Possible issue |
|---|---|---|
| 200 | No "connector" Will return an incorrect login screen | |
| 400 Bad Request | Unregistered redirect_uri (e.g. "https://wrong/v1/callback")) | The redirect_uri is incorrect or not registered |
| 400 Bad Request | Invalid ConnectorID | The providerId is incorrect |
| 400 Bad Request | Invalid client_id ("client_id"). | The clientId is incorrect |
| 400 Bad Request | Requested resource does not exist | Verify your clientId. If it is correct, please contact Akoya. |
| 404/500 | 404 and 500 server errors do not return custom messaging to the browser. | |
| 501 | 501 errors, subsystem is unavailable or temporarily unavailable |
Error codes returned in URL (invalid parameters)
For other errors, the server will redirect the application to the redirect URI, but will include an error in the query string matching the types below:
Example
Example parameters in URL: error=invalid_scope&error_description=Missing+required+scope(s)+["openid"].&state=
| "error" | "error_description" | Possible issue |
|---|---|---|
| invalid_request | Invalid+response+type | The request is missing a parameter, contains an invalid parameter, includes a parameter more than once, or is otherwise invalid. |
| invalid_scope | Missing+required+scope | The requested scope is invalid or unknown. |
| access_denied | The user or authorization server denied the request. | |
| unauthorized_client | The client is not allowed to request an authorization code using this method, for example, if a confidential client attempts to use the implicit grant type. | |
| unsupported_response_type | The server does not support obtaining an authorization code using this method, for example, if the authorization server never implemented the implicit grant type. | |
| server_error | Instead of displaying a 500 Internal Server error page to the user, the server can redirect with this error code. | |
| temporarily_unavailable | If the server is undergoing maintenance, or is otherwise unavailable, this error code can be returned instead of responding with a 503 Service Unavailable status code. |
Server errors
A server_error response could be due to any of the following:
- Internal error creating new access token
- failed to create ID token
- failed to delete auth code
- connector with ID [abc] not found
- failed to marshal refresh token
- failed to create refresh token
- failed to delete refresh token
- failed to get offline session
- failed to create offline session
- failed to delete refresh token
- failed to update offline session
- failed to get auth code from database
- any internal error caused by creating a token
- failed to marshal refresh token
- failed to create refresh token
- failed to delete refresh token
- failed to create offline session
- failed to update offline session
- failed to marshal refresh token
- failed to get refresh token
- provider token not found with
userIDandconnectorID - failed to refresh identity
- failed to create new access token
- failed to update refresh token
- failed to update provider session
- failed to get client
- failed to update offline session object
- unable to unmarshal claim from id token
- failed to create new access token
- failed to marshal access token response
- failed to get client
- failed to get connectors from storage
- unable to validate cross client trust