Gluu Client Initiated Backchannel Authentication

The Gluu Server now supports CIBA. Improve the end-user experience during authentication and authorization.

OpenID Connect Client Initiated Backchannel Authentication Flow is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is a direct Relying Party to OpenID Provider communication without redirects through the user’s browser. CIBA enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms.

CIBA allows a client application, known as a consumption device, to obtain authentication and consent from a user without requiring the user to interact with the client directly. Instead, the client application can initiate a backchannel request to the user’s authentication device, such as a smartphone with an authenticator app installed, to authenticate the user and consent to the operation.

This specification does not change the semantics of the OpenID Connect Authentication flow. It introduces a new endpoint to which the authentication request is posted. It introduces a new asynchronous method for authentication result notification or delivery. It does not introduce new scope values nor does it change the semantics of standard OpenID Connect parameters.