We came across a use case where if there is a policy which requires a specific factor i.e. biometrics, and the user does not have that type of credential registered, AND inline enrollment is disabled, the auth mngr replies with AUTH_DENIED with no other message. We would like a more specific API response so that we can direct the user to register a credential from our self service application. 

Example Response when calling /authenticate

{
    "flowState": "R3FGdTlyMGoxWGhoemhQVWdZTk91UGYrYTU4MEQ1V1c0MVBQcUlJZDNKc2Nqc2VPUjR1Sm5tbkg1cjI4TUo4UkRTMmw4SDYySDg2TE91dEkzaEIrUmxtTSttcjdqQVVqM21RVlRYQVR2ZjRnNllvSXJIL2w5cWVUaWl6T0N2MGNCQys0cERqZVl1SGlsUk0xMFplaUNwVmYyRzFncjZBazV4RUFTYlhpOXRxZm4za3Rlajd2N09oYUVaa",
    "userName": "XBBLK41",
    "nextaction": "AUTH_DENIED",
    "authCompleteUrl": "https://authhub.dev.net/default/oauth2/v1/authcomplete?x-flow-state=R3FGdTlyMGoxWGhoemhQVWdZTk91UGYrYTU4MEQ1V1c0MVBQcUlJZDNKc2Nqc2VPUjR1Sm5tbkg1cjI4TUo4UkRTMmw4SDYySDg2TE91dEkzaEIrUmxtTSttcjdqQVVqM21RVlRYQVR2ZjRnNllvSXJIL2w5cWVUaWl6T0N2MGNCQys0cERqZVl1SGlsUk0xMFplaUNwVmYyRzFncjZBazV4RUFTYlhpOXRxZm4za3Rlajd2N09oYUVaa",
    "additional": {
        "userName": "123456",
        "idpName": "LDAP Dev",
        "idpGuid": "2db2dc95-5a2d-4ee1-a005-27b5b12a5d30",
        "idpType": "ldap",
        "currentFactorLevel": 1,

}

Release : Oct.05

Currently the AuthHub product is giving a generic error message, this issue is acknowledged by the product team and in some future release these error messages will be more meaningful. Currently there is no date tied to this release but the KB will be updated once we have details about that.