I sent this comment to MODERNA: 2. In section 6.4. "Token Error Response", There is no way for the user to fix the error if the back channel communication fails. Although you are kicking off the authentication via backchannel, if the user can switch to front channel, she may be able to resolve a problem. For this reason, I would suggest you define a "claims_gathering_endpoint" which can be returned to the client, and in which the user could then interact with the AS. Your claims gathering endpoint could be like an airline quickcode. For example, if I'm working with airline ABC, then the agent could tell me to direct my browser to https://abc.com/ciba/G5JQ2 Then you have a lot more options to fix the problem (especially if this claims gathering endpoint is on the OP, and you could put the subject through a multi-step authentication workflow).