OpenID API Error Handling
HTTP Status Codes
The following are the generic HTTP statuses for the HID Authentication Service OpenID API when an error is returned.
Code | Label | Applicability | Description |
---|---|---|---|
400 |
BAD REQUEST |
GET, POST, PUT, DELETE |
Request cannot be parsed, is syntactically incorrect, or violates schema |
401 |
UNAUTHORIZED |
GET, POST, PUT, DELETE |
Authorization failure. The authorization header is invalid or missing |
403 |
FORBIDDEN |
GET, POST, PUT, DELETE |
Operation is not allowed based on the supplied authorization |
404 |
NOT FOUND |
GET, POST, PUT, DELETE |
Specified resource (such as user) or endpoint does not exist |
409 |
CONFLICT |
POST, PUT, DELETE |
The specified version number does not match the resource's latest version number or HID Authentication Service refused to create a new, duplicate resource |
500 |
INTERNAL SERVER ERROR |
GET, POST, PUT, DELETE |
An internal server error has occurred |
HID Error Reason Codes
These reason codes for hid_error correspond to the error codes of the API's ErrorConstants object.
Code | Description |
---|---|
0 |
A technical error has occurred |
100 |
A technical error has occurred in an authentication or authentication manager adapter |
1000 |
A parameter was null |
1001 |
An authenticator status parameter is not one of the allowed values |
1002 |
A parameter value greater than zero was not provided |
1003 |
A parameter value greater than or equal to zero was not provided |
1005 |
During UP Authentication, either the username or usercode should be specified, but not both |
1006 |
A parameter was of an invalid format |
1007 |
Date parameters are in an invalid order (for example, start date after end date) |
1008 |
A parameter is too long |
1009 |
A value has been specified for a parameter that is not supported |
1010 |
A parameter representing a numeric value is too large (positive or negative) to be converted into a number |
1011 |
Either a specific channel, or all channels should be specified, but not both |
1012 |
A parameter cannot be both audited and not-audited |
1013 |
During adding a device, either the expiry date or never expires should be specified, but not both |
1014 |
When requesting manual synchronization of a device, either the clock or the counter must be specified |
1015 |
A device issuance request status parameter is not one of the allowed values |
1016 |
The device authentication request should have a usercode or device search criteria |
1017 |
Illegal authentication mode |
1018 |
The security domain is invalid |
1019 |
The adapter type is invalid |
1020 |
The adapter type is invalid |
1021 |
The adapter type is invalid |
1022 |
Either a specific Asset set, or all Asset sets should be specified, but not both |
1023 |
Either a specific AuthenticationTypeCode, or all AuthenticationTypes should be specified, but not both |
1024 |
Invalid LDAP mapping |
1025 |
Either a specific AssetGroupCode, or allAssetGroupCode should be specified, but not both |
1026 |
User status is invalid |
1027 |
Transaction Type is invalid |
1028 |
Resource Type is invalid |
1029 |
Device import failed due to invalid parameter |
1030 |
STM device activation failed due to invalid parameter |
1031 |
Manual Synchronization failed because the device counter was set to a value lower than the current one |
1032 |
Manual Synchronization failed because the device counter delta is superior than max delta |
1033 |
Adapter creation failed because an adapter already exists with this name and code for the specified type |
1034 |
An invalid algorithm was found |
1036 |
Error while reading the import device file due to a wrong parameter:
|
1100 |
An authentication type with this code already exists |
1101 |
A channel with this code already exists |
1102 |
A UP authenticator of this authentication type, with this usercode (external reference), already exists |
1103 |
A UP authenticator of this authentication type, with this username (login), already exists |
1104 |
An MD prompt with this code already exists |
1105 |
An MD authenticator of this authentication type, with this usercode (external reference), already exists |
1106 |
An asset with this code already exists |
1107 |
An asset group with this code already exists |
1108 |
An asset set with this code already exists |
1109 |
A function set with this code already exists |
1110 |
A transaction with this code already exists |
1111 |
A transaction set with this code already exists |
1112 |
An attribute type with this code already exists |
1113 |
A user (sub)group with this code already exists |
1114 |
A user with this code already exists |
1115 |
A user group transaction set privilege with this user subgroup and transaction set already exists |
1116 |
A transaction set item with this transaction already exists in the transaction set |
1117 |
A function set item with this function already exists in the function set |
1118 |
A user group function set privilege with this user subgroup and function set already exists |
1119 |
A user group asset set transaction set privilege with this user subgroup, asset set and transaction set, already exists |
1120 |
A user group asset group function set privilege with this user subgroup, asset group and function set, already exists |
1160 |
A device with this device type and serial number already exists |
1161 |
A credential with this credential code already exists |
1166 |
Defines the error code for a duplicate datasource entity |
1167 |
Defines the error code for a duplicate radiusServer entity |
1168 |
Defines the error code for a duplicate RealmProxy Policy entity |
1169 |
Defines the error code for a duplicate RequestFailurePolicy entity |
1170 |
A device type with this code already exists |
1171 |
Defines the error code for a duplicate AuthProfile entity |
1172 |
AssetGroup already assigned to the Transaction set Defines the error code for a duplicate assigning of AssetGroup to transactionSet |
1173 |
Defines the error code for a duplicate ChannelAuthProfile entity |
1174 |
Defines the error code overlap datasource |
1175 |
Defines the error code overlap client addresses of the gate policy |
1180 |
A role with this code already exists |
1190 |
DEPRECATED Defined the error code for a duplicate user role |
1191 |
A role function set privilege with this role and function set already exists |
1192 |
A role transaction set privilege with this role and transaction set already exists |
1193 |
An authenticator with this usercode and authentication type already exists |
1200 |
A user with the specified code (external reference) could not be found |
1201 |
A user (sub)group with the specified code could not be found |
1202 |
An asset with the specified code could not be found |
1203 |
An asset group with the specified code could not be found |
1204 |
An authentication type with the specified code could not be found |
1205 |
A UP authenticator with the specified code could not be found |
1206 |
An MD authenticator with the specified code could not be found |
1207 |
A MD Group with the specified code could not be found |
1208 |
An MD answer with the specified code could not be found |
1209 |
A channel with the specified code could not be found |
1210 |
An MD prompt with the specified code could not be found |
1211 |
An asset set with the specified code could not be found |
1212 |
An authenticator manager adapter with the specified code could not be found |
1213 |
An audit record with the specified ID could not be found |
1260 |
A device type with the specified code could not be found |
1261 |
A device with the specified ID could not be found |
1263 |
A session transfer type with the specified code could not be found |
1270 |
An authenticator could not be found |
1280 |
A reset password batch with the specified ID could not be found |
1281 |
A transaction set with the specified code could not be found |
1282 |
A transaction (item) with the specified code could not be found |
1283 |
A function set with the specified code could not be found |
1284 |
A function with the specified code could not be found |
1285 |
A function set item with the specified code could not be found |
1286 |
A transaction set item with the specified code could not be found |
1287 |
A user group transaction set privilege with the specified ID could not be found |
1288 |
A user group asset set transaction set privilege with the specified ID could not be found |
1289 |
A user group asset group function set privilege with the specified ID could not be found |
1290 |
A role function set privilege with the specified code ID not be found |
1291 |
A role transaction set privilege with the specified ID could not be found |
1292 |
A role with the specified code could not be found |
1293 |
A user role assignment could not be found |
1294 |
A user transaction privilege with the specified ID could not be found |
1295 |
A credential with the specified ID could not be found |
1296 |
A credential type with the specified ID could not be found |
1297 |
A status category with specified search criteria could not be found |
1298 |
A status with specified search criteria could not be found |
1299 |
A status transition with specified search criteria could not be found |
1300 |
An asset cannot be added to an asset set because they have different asset groups |
1301 |
RADIUS Server could not be found |
1302 |
RealmProxy Policy could not be found |
1303 |
RequestFailurePolicy could not be found |
1304 |
ChannelAuthorizationPolicy could not be found |
1305 |
ChannelAuthorizationPolicy could not be found |
1306 |
Dictionary Code could not be found |
1307 |
AssetGroup to Transaction set mapping could not be found |
1308 |
Datasource could not be found |
1309 |
An Asset set item could not be found |
1310 |
Email Address or template could not be found |
1311 |
Device issuance request could not be found |
1312 |
Organization could not be found |
1313 |
No Organization adapter could be found |
1314 |
Pseudonymization Token could not be found |
1400 |
No function privilege to call this method |
1500 |
Insufficient MD answers were provided to create the MD authenticator |
1501 |
The MD answer provided is not associated with the MD authenticator (MD group) |
1600 |
The authentication type only allows seeded authentication |
1601 |
The authentication type only allows unseeded authentication |
1602 |
The number of password/answer seed characters provided does not match the number of seed positions provided |
1603 |
The number of password/answer seed characters provided is insufficient for authentication |
1604 |
The seed positions provided are not unique |
1605 |
The number of seed positions requested is greater than the minimum length constraint |
1700 |
An invalid channel was found during authentication |
1701 |
An invalid channel was found for this authentication type |
1900 |
The session is invalid |
1901 |
The session does not exist |
1902 |
The session has timed out |
1903 |
The session has expired |
1904 |
The session has an invalid user associated with it |
1905 |
An authentication of the specified authentication type does not exist within the session |
1906 |
The session contains too many authentication occurrences |
200 |
A technical error has occurred in the Activ Kernel |
2000 |
The number of allowed (failed) attempts to change the password has been exceeded |
2001 |
An expired password change was attempted on a password that had not expired |
2100 |
A constraint violation has occurred (for example, when creating an authenticator with an invalid password or MD answer) |
2200 |
No longer used |
2201 |
The configurer card was not present |
2202 |
The configurer card is faulty |
2203 |
No longer used |
2204 |
The card is not a configurer card |
2205 |
No longer used |
2206 |
The card label is not in the form config.username |
2207 |
No longer used |
2208 |
The card was not recognized |
2209 |
No longer used |
300 |
A technical error has occurred within Core Security |
3000 |
The user subgroup cannot be deleted, because it contains child user subgroup(s) |
3001 |
The user subgroup cannot be deleted, because it contains users |
3002 |
The user subgroup cannot be moved, because the target parent group is a child of the subgroup |
3003 |
The parent of the user subgroup cannot be updated |
3004 |
The user group cannot be moved because it is a root group |
3006 |
The user subgroup cannot be moved because the target parent group does not belong to the subgroup's root group hierarchy |
3007 |
Cannot change user attribute types for a subgroup |
3200 |
An attribute type with the specified code could not be found |
3201 |
A credential could not be found |
3202 |
An adapter could not be found |
3203 |
A delivery provider could not be found |
400 |
A technical error has while getting the CheckBefore Attributes for RADIUS |
4000 |
The asset group or asset set contains assets |
4001 |
The asset group contains an asset set |
500 |
A technical error has occurred while validating the profile attribute type for RADIUS |
5000 |
The form is missing one or more required MD answers |
5001 |
A form with status ISSUED of this form type, already exists for this user |
5003 |
There was one or more problems with a user's authenticators when submitting a form |
5100 |
The user does not have any attributes |
5101 |
The user does not have a mandatory attribute |
5106 |
The user for a password reset request could not be found |
5107 |
A password cannot be generated because a minimum or maximum length constraint of an authentication type has not been set |
5108 |
Unable to reset password, the specified authentication type is not username password |
5109 |
Unable to reset password, the specified authentication type does not specify a valid two-way key |
5150 |
Mandatory encryption parameters for the specified authentication type are missing |
5151 |
The specified authentication type is not of class UP |
5200 |
A base authentication type cannot be dependent on itself |
5201 |
The session does not contain an authentication for the required base authentication type |
5202 |
Authentication type code is used by system, user cannot create an authentication type with same code |
5203 |
Direct User does not have valid authentication type to perform this indirect authentication |
5204 |
Trying to do direct authentication with authentication type that supports only indirect authentication |
5300 |
A cloned authenticator cannot be of the same authentication type |
5301 |
A cloned authenticator cannot be of an authentication type with a different adapter code |
5400 |
The specified session transfer code length is outside the minimum and maximum limits for the specified session transfer type code |
5401 |
The specified session transfer 'from' datetime is in the past |
5402 |
The specified session transfer code is not yet valid |
5403 |
The specified session transfer code has expired |
5404 |
The specified session transfer code has already been received |
5405 |
No unique session transfer code could be generated |
5406 |
The specified session transfer code does not exist |
5407 |
The specified session transfer code is link to a session with too high risk score |
600 |
A technical error has occurred in the LDAP |
6001 |
When creating an authentication type, the number of prompts required for creation, was greater than the actual number of prompts in the MD group |
6002 |
The number of prompts required for display does not match with supplied promts or prompts required for creation/authentication |
6003 |
When creating an authentication type, the number of prompts required for authentication, was greater than the actual number of prompts in the MD group |
6004 |
The password has expired but can be reset |
6005 |
The authenticator status is invalid |
6006 |
The AuthenticationType class type is incompatible |
6007 |
The old password is invalid |
6008 |
User group not authorized |
601 |
LDAP return size limit exception occurred |
602 |
LDAP lookthrough size limit exception occurred |
6050 |
The device search criteria do not uniquely identify device |
6051 |
The device is bound to a different user than the one specified |
6052 |
The automatic synchronization method is not supported |
6054 |
The start date is not before the expiry date |
6055 |
The manual synchronization method is not supported |
6056 |
The create unlock code method is not supported |
6057 |
The synchronization request contains incompatible information |
6058 |
There was no active device on the authenticator |
6059 |
Device does not support soft PIN |
6060 |
Soft PIN is too short |
6061 |
Soft PIN is too long |
6062 |
Soft PIN position is invalid |
6063 |
Status value is invalid |
6064 |
Status value is not a valid initial status |
6065 |
Device assignment failed |
6066 |
Request Device failed |
6067 |
Device Activation failed |
6068 |
Reached maximum number of SoftTokens for this device type |
6069 |
Reached maximum number of SoftTokens for this device type |
6070 |
Certificate has expired |
6071 |
Certificate is not yet valid |
6072 |
Unsupported certificate |
6073 |
Unable to verify certificate |
6074 |
Unable to download CRL |
6075 |
Unsupported CRL |
6076 |
Unable to verify CRL |
6077 |
Invalid certificate path |
6078 |
Certificate is revoked |
6100 |
The device does not support asynchronous authentication |
6101 |
The device does not support synchronous authentication |
6102 |
A challenge has not previously been issued for this device |
6104 |
The counter (ATC) on the device has reached its max value |
6105 |
A user defined challenge is expected, but has not been provided |
6200 |
No active Authenticator was found for dynamic Authenticator Selection get Challenge Request |
6201 |
No active Authenticator was found for dynamic Authenticator Selection Device Authentication Request |
6202 |
No active Authenticator was found for dynamic Authenticator Selection UP Authentication Request |
6203 |
For dynamic Authenticator Selection, the usercode should be specified, it cannot be NULL |
7000 |
A circular transaction dependency cannot be configured |
7001 |
A self dependent transaction cannot be configured |
7002 |
The transaction is a dependent transaction for another transaction(s) |
7003 |
The number of authorizations required must be zero or greater |
7004 |
The secondary transaction code must be specified |
7400 |
The specified user already has the specified role |
7500 |
Unable to delete the transaction set as a role transaction set privilege refers to it |
7501 |
Unable to delete the function set as a role function set privilege refers to it |
7502 |
Unable to delete the asset set as a role transaction set privilege refers to it |
7503 |
Unable to delete the asset group as a role function set privilege refers to it |
7504 |
Unable to delete the function set as a function set privilege refers to it |
7505 |
Unable to delete the function set as an asset group function set privilege refers to it |
7506 |
Unable to delete the transaction set as a user subgroup transaction set privilege refers to it |
7507 |
Unable to delete the transaction set as a user subgroup asset set transaction set privilege refers to it |
7508 |
Unable to delete the transaction set as a user transaction set privilege refers to it |
7509 |
Unable to delete the role as a user refers to it |
7510 |
Unable to delete the channel as an authentication type refers to it |
7511 |
Unable to delete channel as there is an unspecified constraint violation because a privilege may refer to it |
7512 |
Unable to delete the attribute type as a user attribute refers to it |
7513 |
Unable to delete the device type as a device refers to it |
7514 |
Unable to delete the device as it is assigned to a user |
7516 |
Unable to delete RequestFailurePolicy as it is used by one or more channels |
7517 |
Unable to delete the datasource as a user refers to it |
7518 |
Unable to delete Authorization Profile due to an existing ChannelAuthorizationProfile reference to it |
7519 |
Unable to delete a user attribute due to an existing LDAP attribute reference to it |
7520 |
Unable to delete an authentication type as something refers to it |
7521 |
The specified user does not have the specified role |
7522 |
Unable to delete a user attribute due to existing user type reference to it |
7523 |
Unable to delete role as it is bound to one or more user repositories |
8000 |
The user already has the maximum number of roles allowed |
8800 |
EntityId or EntityType is null in the exterAuditRequest |
900 |
A technical error has occurred in STM Integration |
9000 |
No license was found for the feature |
9001 |
License for feature has expired, please contact you vendor to purchase new licenses |
9002 |
Invalid license |
9003 |
Audit Tokenization is not enabled |
9004 |
User is not deleted so it cannot be forgotten |
9005 |
Adapter cannot be deleted as it is referenced by a channel |
9006 |
Configured function set to update does not exist |
9007 |
Configured function set to update is not set up correctly |
9008 |
Maximum number of roles has been reached |
9009 | UserType is SCIM_FED but there is no datasource with matching provisioningAgent |
9010 | OCSP or CRL internal error |
9011 | User is bound to a datasource that does not match this session |
9012 | Security Group is bound to a datasource that does not match this session |
9013 | Security Group is not bound to a datasource |
9014 | Cannot add a non SCIM_FED User to a security group bound to a datasource |
9015 | Client is bound to a datasource |
910 |
Invalid serial number |
920 |
Soft token activation failed |
930 |
The Soft token activation failed |
940 |
The Soft token activation failed |
950 |
The authentication failed |
951 |
A technical error has occurred while activating a push-based HID Approve device |
HID Failure Reason Codes
These reason codes for hid_failure correspond to the error codes of the API's AuthenticationResponseConstants object.
Code | Description |
---|---|
31 |
It is required to provide amount and currency for asynchronous EMV cap authentication of EMV cards with IAF=1 |
12 |
The authentication code length does not match the requested authentication length of characters |
1 |
The authenticator is disabled |
0 |
The authenticator could not be found |
7 |
The authenticator is not yet valid |
22 |
The challenge has expired |
17 |
The challenge does not match that issued for the token |
30 |
It is required to provide challenge for asynchronous authentication |
4 |
There is a primary block for this channel |
6 |
There is a primary and secondary block for this channel |
5 |
There is a secondary block for this channel |
20 |
The device is not valid |
33 |
The conversion of EMV SDB to EMV NVP format failed |
36 |
The credential type does not support asynchronous authentication |
35 |
The credential type does not support synchronous authentication |
40 |
Unsupported LDAP authentication mode LDAP authentication only supports synchronous authentication mode |
34 |
Failed to provide the required PKI_CHALLENGE_SIGNATURE parameter for Asynchronous PKI Certificate authentication |
18 |
An incorrect response was provided |
26 |
The amount value for EMV cap verification is invalid It must not have decimal character and it should be a numeric value |
27 |
The currency code for EMV cap verification is invalid |
32 |
The Cryptogram Version Number (CVN) for EMV card is invalid Supported CVN values are [0xC8, 0xC9, 0x0A, 0x0E] |
25 |
The EMV card data is invalid |
28 |
The Master Key Label for EMV card is invalid |
2 |
The successive failed authentication count reached the disable threshold |
3 |
The maximum number of usages has been reached |
29 |
The maximum value of ATC is reached |
9 |
An MD answer does not match |
14 |
Insufficient MD answers were provided |
23 |
No valid credentials were found |
19 |
The password's maximum usage has been reached |
13 |
The password does not match |
45 |
The user is disabled |
15 |
The user was not found |
24 |
The software PIN was wrong |
-1 |
The value is not defined (available) |
46 |
The Activation Code has expired |
47 |
The Activation Code has reached its threshold |
54 |
The score has not been retrieved |
55 |
The authentication code is not allowed by configuration |
49 |
The challenge has not been found |
59 |
The check before action failed |
48 |
The user already has an open session |
50 |
The OOB secret generation has failed |
58 |
Specific RMS parameters are missing |
41 |
The OTP matched |
42 |
The OTP did not match |
43 |
The PIN matched |
44 |
The PIN did not match |
56 |
For the second step authentication, no session transfer has been found |
57 |
The second step authentication user does not match |
53 |
The block threshold has been reached |
52 |
The reject threshold has been reached |
51 |
The step-up threshold has been reached |
39 |
Hashed password authentication is unsuccessful |
HID Response Codes
These response codes correspond to the codes of the API's AuthenticationResponseConstants object.
Code | Description |
---|---|
2 |
The authentication failed |
1 |
The authentication succeeded |