Deny Action

The Deny authentication action terminates the ongoing authentication with an access denied error. It supports two different operation modes:

Mode Description
Always Always deny authentication.
Attribute Condition Check for a boolean attribute and deny authentication if that attribute value matches the expected one.


The Curity Identity Server includes other actions that allow denying authentication using criteria such as date/time (e.g. Date/Time Deny Action) and geolocation (e.g. Geolocation Allow or Deny Country Action and Geolocation Impossible Journey Action).


The following configuration options are available:

Configuration Mandatory Description
always no Always deny authentication.
attribute-condition no Deny authentication depending on the presence of an attribute.
attribute-condition/name yes The name of the attribute.
attribute-condition/source yes The source of the attribute (subject-attributes, context-attributes, action-attributes)
attribute-condition/expected-value no The expected value of the attribute to deny authentication. Defaults to: true
error no The error string used when the action denies the authentication.

Note that either always or attribute-condition must be specified.