If the user doesn't approve the authentication request, the PKSA will send a refusal message to the HAS. The HAS will then forward the following message to the APP:
auth_nack
{
cmd: "auth_nack",
uuid: string,
data: string
}
uuid: the request identifier
data: the uuid encrypted with auth_key and converted to Base64
The data can be decrypted by the APP using the auth_key to ensure the auth_nack message comes from a PKSA it has previously shared the auth_key with. This prevents a malicious actor operating a HAS server from faking requests' refusal.
