AST Trusted Message Sign Error Codes (SubSystem 516)
TMS / DM Interaction (Error Codes 10-19)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 10 | 409 | Locked | The TMS is locked by a different client |
| 516 | 11 | 410 | AlreadyComplete | The TMS was already in a completed state when trying to complete it |
| 516 | 12 | 410 | Timeout | The TMS or Display Message timed out |
| 516 | 13 | 412 | WrongState | The TMS is in a wrong state for the requested operation |
Signed Data Checks (Error Codes 20-39)
The following error codes are only returned on the respondToTms when sending a signedData, i.e. when the response
is ACCEPTED.
Structural Errors (Error Codes 20-29)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 20 | 400 | InvalidCms | The data is no valid PKCS#7 CMS Signed Data structure |
| 516 | 21 | 400 | MissingSignerInfo | The CMS structure did not contain a signer info |
| 516 | 22 | 400 | AmbiguousSignerInfo | The CMS structure contained more than one signer info |
| 516 | 23 | 400 | MissingCert | The CMS structure did not contain a client certificate |
| 516 | 24 | 400 | AmbiguousCert | The CMS structure contained more than one client certificate |
| 516 | 25 | 400 | BadKey | The public key of the client certificate is unsupported |
| 516 | 26 | 400 | UnsupportedAlgorithm | One of the algorithms used in the signature is unsupported |
Validity Errors (Error Codes 30-39)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 30 | 403 | BadCertSignature | The client certificate's signature is invalid |
| 516 | 31 | 403 | BadCertProfile | The client certificate is no AST_DEVICE certificate |
| 516 | 32 | 403 | BadCertificationPath | The certification path of the client certificate is invalid |
| 516 | 33 | 403 | SignedDataMismatch | The signed data does not match the fully expanded TMS message |
| 516 | 34 | 403 | BadCmsSignature | The signature of the CMS is invalid |
| 516 | 35 | 403 | CertOwnerMismatch | The certificate has the SAN extension and the owner there does not match the caller |
| 516 | 36 | 403 | Replay | The signed attributes did not match the TMS or caller (signingTime, userId, tmsId, clientId) |
| 516 | 37 | 403 | CertificateRevoked | The Signer CA that issued the client certificate, or the client certificate itself, has been revoked. Obtain a new certificate before completing the TMS. |
| 516 | 38 | 403 | ClientCertificateExpired | The client certificate used to sign the CMS has expired. The client should renew his certificate before retrying to complete the TMS |
When responding to the TMS, some fields must be contained in the CMS SignedData, which are used to ensure binding of
the response to the correct TMS and to avoid replay of TMS responses. If any of these checks failed, the error 516-36
Replay is returned to indicate that.
The attributes checked are:
- The standard CMS
signingTime attribute (OID 1.2.840.113549.1.9.5)
- It must be between the
retrievedAt field of the TMS (the time the client downloaded the TMS, equal to serverTime
in the downloaded TMS) and the current time
- The TMS ID attribute (OID
1.3.6.1.4.1.14481.109.3.1)
- It must be equal to the TMS ID the response is sent for
- The User ID attribute (OID
1.3.6.1.4.1.14481.109.3.2)
- It must be equal to the User ID (
sub claim) in the access token used to send the response
- The AST Client ID attribute (OID
1.3.6.1.4.1.14481.109.3.3)
- It must be equal to the AST Client ID (
astClientId claim) in the access token used to send the response
The detailed cause of the error is logged by AST TMS on WARN level, so you can look to the logs for details when
receiving this error code.
Templating Errors (Error Codes 40-49)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 40 | 500 | TemplateExpansionFailed | The expansion of a message template failed |
Cryptography Errors (Error Codes 50-59)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 50 | 500 | EncryptionError | Encrypting a response body failed. Details can be found in the message |
| 516 | 51 | 400 | DecryptionError | Decrypting a request body failed. Details can be found in the message |
| 516 | 52 | 500 | DbEncryptionError | Encrypting a field for the database failed. Details can be found in the message |
| 516 | 53 | 500 | DbDecryptionError | Encrypting a field from the database failed . Details can be found in the message |
Bad Request Codes (Error Codes 400 and 400x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 400 | 400 | BadRequest | An unspecified Bad Request error. Look for details in the message. |
| 516 | 4001 | 400 | MissingField | A required field was missing in the request |
| 516 | 4002 | 400 | MalformedField | A field in the request had a wrong format |
| 516 | 4003 | 400 | MalformedBody | The request body was malformed and couldn't be parsed |
Unauthorized Codes (Error Codes 401 and 401x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 401 | 401 | Unauthorized | There was a problem authorizing the request, see below for details |
| 516 | 4011 | 401 | TlsClientAuthMissing | mTLS enforcement is enabled and the request did not contain TLS client authentication information. That is, the request did not contain any of the api.security.mTLS.certRequestHeaders, or the header did not contain a certificate |
Details about 516-401 Unauthorized
This error code includes cases like
- The header was missing
- The token could not be decoded
- The token is from a different realm than the tenant in the request path
- The token was expired (
exp), not yet valid (nbf) or issued in the future (iat)
- The token's issuer (
iss) did not match the expected value discovered from the IdP
- This is most likely a realm configuration problem in Keycloak, such as not configuring the "Frontend URL" setting
in the realm, which is required in a typical setup
- Failing to configure the Frontend URL will result in a mismatch between the issuer URL that was discovered by
the service inside the cluster, and the issuer in the JWT issued for a client outside the cluster
- After changing the realm configuration, it is necessary to restart the service in order for it to rediscover the
realm configuration
- The token's audience (
aud) didn't include all required values specified in the service config (default: none)
- The token's signature did not match the public key discovered from the IdP
Forbidden / Bad Token Codes (Error Codes 403 and 403x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 403 | 403 | Forbidden | The user has no permission to access the resource. The details of the failed authorization are printed in the logs |
| 516 | 4031 | 403 | MissingUserId | The user ID (sub claim) is missing in the access token |
| 516 | 4032 | 403 | MissingClientId | The AST client ID (astClientId claim) is missing in the access token |
| 516 | 4033 | 403 | MissingAuthTime | The authentication time (auth_time claim, fallback iat claim) is missing in the access token |
| 516 | 4034 | 403 | ExplicitAuthMissing | The required explicit auth scope is missing (only on respondToTms) |
| 516 | 4035 | 403 | AuthTooOld | The authentication was too far away (required freshness was not met, only on respondToTms) |
| 516 | 4036 | 403 | SessionKeyNotFound | The session key with the specified ID wasn't found |
| 516 | 4037 | 403 | SessionKeyDecryptionFailed | The session key could not be decrypted |
| 516 | 4038 | 403 | MKexRequired | The client was required to do mKEX, but no authenticated session key was found |
Not Found Codes (Error Codes 404x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 4041 | 404 | TmsNotFound | A TMS with the given ID does not exist |
| 516 | 4042 | 404 | DisplayMessageNotFound | A display message with the given ID does not exist |
| 516 | 4043 | 404 | NoMatchingClients | The filters specified on the TMS or Display Message request didn't match any of the user's clients |
OIDC Errors (Error Codes 100x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 1000 | 500 | GeneralError | An unexpected error occurred while authenticating the request. See the log for details. |
| 516 | 1001 | 500 | IssuerNotConfigured | The OIDC issuer is not configured. This is probably due to misconfiguration of api.security.openidConnect.baseUrl. See the log for details. |
| 516 | 1002 | 404 | RealmDoesNotExist | The realm corresponding to the tenant ID in the request does not exist in the IDP. See the log for details. |
| 516 | 1003 | 503 | IdpUnavailable | The IDP could not be reached for OIDC discovery. This may be a temporary error or due to misconfiguration. See the log for details. |
| 516 | 1004 | 502 | BadResponse | The IDP response could not be parsed. See the log for details. |
| 516 | 1005 | 502 | UnexpectedError | The IDP returned an unexpected error response during OIDC Discovery. See the log for details. |
| 516 | 1006 | 500 | IssuerMismatch | The issuer URL returned from OIDC Discovery doesn't match the expected one generated from the configuration. This is probably due to realm misconfiguration in the IDP. See the log for details. |
| 516 | 1007 | 500 | UnsupportedFlow | The OIDC configuration returned from the IDP specified an unsupported flow. This probably due to realm misconfiguration in the IDP. See the log for details. |
General Error Codes (Internal Errors)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 500 | 500 | InternalError | An unexpected error occurred, check for details in the logs |
| 516 | 5001 | 500 | DbError | An unexpected error occurred during a database operation |
| 516 | 5002 | 500 | KafkaError | An unexpected error occurred during a Kafka operation |
| 516 | 503 | 503 | ServiceUnavailable | The service's availability was disrupted, look for details in the message. |
Configuration Errors (Error Codes 500xx)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 50010 | 500 | UnknownTopicRoutingKey | An outbox item with an unknown topic routing key was encountered |
| 516 | 50020 | 500 | TrustStoreDoesNotExist | The trust store file does not exist |
| 516 | 50021 | 500 | TrustStoreRequired | A trust store was required for the configured SSL mode, but none was given |
Upstream Service Errors (Error Codes 502x)
The following error codes are for failures during requests to upstream services. If the upstream service returns a
parseable error response, the parsed error will be returned with a 502 response code. Otherwise, an appropriate
516-502x code is returned
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|
| 516 | 5021 | 502 | UpstreamRequestError | The request to an upstream service failed due to a networking error |
| 516 | 5022 | 502 | UpstreamInvalidResponse | The upstream service returned a successful response that could not be parsed |
| 516 | 5023 | 502 | UpstreamInvalidErrorResponse | The upstream service returned an error response that could not be parsed |
| Upstream Subsystem | Upstream Error | 502 | determined by upstream | The upstream service returned an error response that could be parsed to a ServiceError |