Table of Contents
Client Initiated Backchannel Authentication (CIBA) is one of the latest standards from OpenID Foundation. It is to define new authentication and authorization flows, which are categorized as “decoupled flow”, compared to the traditional OAuth / OpenID Connect “redirect flow.” It enables new ways of obtaining an end user’s consent that can significantly improve customer experience.
CIBA defines two types of devices; Consumption Device and Authentication Device. The Consumption Device initiates the CIBA flow by interacting with its correspoinding OpenID Connect (OIDC) Relying Party (RP) to determine an OIDC Identity Provider (IdP) and identifier of a target user, and make an OIDC authentication request to the server. The server sends a notification to the target user’s Autentication Device. Once the user authenticates with the Authentication Device to the server and optionally authorizes the request, the server make a response including tokens such as OAuth Access Token / Refresh Token, OIDC ID Token.
Note that these two devices are decoupled each other - these devices don’t have to be in the same place. In addition, a person who kicks off the flow with the consumption device is not necessarily the same as the target user with the authentication device. This architecture brings more flexibility to user authentication and consent.
Authlete is a pioneer of supporting CIBA. We have implemented CIBA Core 1.0 since February 2019, and been granted certifications for Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA) conformance profiles.
We are also active to develop the CIBA Core and related specifications (e.g. Financial-grade API: Client Initiated Backchannel Authentication Profile) in OpenID Foundation’s Financial-grade API (FAPI) Working Group.
Please check this document.