3.3.5.2 Processing Token Request Messages

If the parameters relayed from the partner server are valid, according to the predetermined criteria (as specified in section 1.5), and the Token Request message is accompanied by an HTTP cookie or cookies that together contain a valid authentication token, then the authentication server MUST respond with a Token Response message as follows:

• The value of from-PP MUST be set to a valid partner token for the user, according to the criteria previously agreed to between the authentication server and partner server (as specified in section 1.5). Likewise, the value of ru MUST be the URL to which the client MUST send its HTTP request to access the partner server on successful authentication, as previously agreed to between the authentication server and partner server (as specified in section 1.5).

• As part of the HTTP response that contains the Token Response message, the authentication server MAY set the values of one or more HTTP cookies on the client (as specified in [RFC2109]), which, taken together, form a valid authentication token for the client. One or more corresponding tname parameter values MAY be included in the Token Response message. If included, they MUST contain the names of the HTTP cookies set on the client.<13>

• An Authentication Server-Instructed Update message containing the current configuration version, as configured on the authentication server (as specified in section 1.5) MAY be sent to the client along with the Token Response message.<14>

If the parameters relayed from the partner server are valid, according to the predetermined criteria (as specified in section 1.5), but this message is not accompanied by an HTTP cookie or cookies containing an authentication token, or the authentication token contained in the cookie is not valid, the authentication server MUST respond with an Authentication Server Challenge message with da-status="failed".

If this message is not accompanied by an HTTP cookie or cookies, which together contain a valid authentication token, and the parameters relayed from the partner server are invalid, according to the predetermined criteria (as specified in section 1.5), the authentication server MUST respond with an Authentication Server Challenge message with da-status="failed-noretry".

In the two preceding cases, the values of srealm, cburl, and cbtxt MUST be set to the preconfigured values for the authentication server's realm name, co-branding URL, and co-branding text, respectively (as specified in section 1.5). The value of ts is for the private use of the authentication server and can be any value.

If the Token Request message is accompanied by an HTTP cookie or cookies, which together contain a valid authentication token, but the parameters relayed from the partner server are invalid, according to the predetermined criteria (as specified in section 1.5), the authentication server MUST respond with an Authentication Server Challenge message containing the da-status="failed-noretry" parameter.

If the value of either the OrgVerb parameter or the OrgUrl parameter is invalid, the processing of the Token Request message is implementation-specific.