Client-Initiated Backchannel Authentication (CIBA)

Learn more about Client-Initiated Backchannel Authentication.

Prerequisites

  • Set up ISVAOP
  • Set up an application or relying party that supports client-initiated backchannel authentication flow.

Configuring ISVAOP

  • Ensure the urn:openid:params:grant-type:ciba grant type is enabled in provider.yml.

    # Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
    definition:
      grant_types:
        - "urn:openid:params:grant-type:ciba"
    
  • Create a new static client configuration client_ciba.yml and copy the following content:

    # Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
    client_id: client_ciba
    client_secret: "OBF:U2FsdGVkX1989Y/UBwz1BNPbIkv0hgBTcoynJtlRt56hu3TGX+5Kdi4TJ6MLMYtO" # ahwoaor82noawasg
    client_name: CIBA Client
    enabled: true
    grant_types:
      - urn:openid:params:grant-type:ciba
    token_endpoint_auth_method: default
    backchannel_token_delivery_mode: poll
    backchannel_user_code_parameter: false