jspωiki
OpenID Connect Client Initiated Backchannel Authentication Flow

Overview#

OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA) is a specification written by MODRNA Working Group of OpenID Foundation defines a new OAuth 2.0 Grant Type where user consent can be requested through an Out of Band Request flow..

OpenID Connect Client Initiated Backchannel Authentication Flow public review period for the specification started on Dec. 14, 2018 and it was approved on Feb. 4, 2019.

CIBA flows, the Authorization Server delegates the tasks of End-User authentication and consent confirmation to an authentication device of the end-user. A smartphone is a typical example of authentication devices. This process is performed on the background after a response is returned from the backchannel authentication endpoint to the OAuth Client application.

OpenID Connect Client Initiated Backchannel Authentication Flow flows allows the OAuth Client application is not under the control of the End-User and it can be physically separated from the authentication device. For example, CIBA can support a use case where a OAuth Client application is running on a computer in front of an operator working in a call center in Okinawa, while end-user authentication and consent confirmation are performed on a smartphone at the hand of the end-user who has made the call to the call center from Tokyo.

OpenID Connect Client Initiated Backchannel Authentication Flow allows the ability to complete the authorization, the user can receive a push Notification sent to the financial institution’s native mobile app running on the user’s phone, allowing the customer to avoid confusing Redirection via web browsers.

Financial API (FAPI) OpenID Connect Client Initiated Backchannel Authentication Flow#

There is also a FAPI version of OpenID Connect Client Initiated Backchannel Authentication Flow that supports this decoupled interaction method. The CIBA spec allows a client that gains knowledge of an identifier for the user to obtain tokens from the Authorization Server. The user consent is given at the user's Authentication Device mediated by the Authorization Server. This document profiles the CIBA specification to bring it in line with the other FAPI parts and provides security recommendations for its use with APIs that require financial-grade security.

Although it is possible to code an OpenID Connect Provider and Relying Party from first principles using this specification, the main audience for this specification is parties who already have a certified implementation of OpenID Connect and want to achieve a higher level of security. Implementors are encouraged to understand the security considerations contained in section 7.5 before embarking on a 'from scratch' implementation.

More Information#

There might be more information for this subject on one of the following: