Client Initiated Backchannel Authentication

The Gluu Server now supports CIBA. Improve the end-user experience during authentication and authorization.

OpenID Connect Client Initiated Backchannel Authentication Flow is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is a direct Relying Party to OpenID Provider communication without redirects through the user’s browser. CIBA enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms.

CIBA allows a client application, known as a consumption device, to obtain authentication and consent from a user without requiring the user to interact with the client directly. Instead, the client application can initiate a backchannel request to the user’s authentication device, such as a smartphone with an authenticator app installed, to authenticate the user and consent to the operation.

This specification does not change the semantics of the OpenID Connect Authentication flow. It introduces a new endpoint to which the authentication request is posted. It introduces a new asynchronous method for authentication result notification or delivery. It does not introduce new scope values nor does it change the semantics of standard OpenID Connect parameters.

Have an IAM project you would like to discuss?