1. What is CIBA
CIBA is an acronym for Client Initiated Backchannel Authentication and its based on OpenID Connect. CIBA allows a client application, known as a consumption device, to obtain authentication and consent from a user without requiring the user to interact with the client directly. Instead, the client application can initiate a backchannel request to the user's authentication device, such as a smartphone with an authenticator app installed, to authenticate the user and consent to the operation.
...
More information can be found in the following blog post
2. Integration
For CIBA integration the OpenID Provider (Audkenni) and the Client (Relying Party in OpenID connect flow) first need to exchange their endpoints, signing data and credentials which each other.
2.1. Information provided by the OpenID provider:
The endpoints of the OpenID Provider are static and can be found here (together with other information about the Audkenni provider). The most important endpoints are:
...
Next to that, the OpenID Provider will provide a client_id and a client_secret to the Client (Relying Party)
2.2. Information provided by the Client:
The Relying Party only needs to provide the information how he is going to sign the request JWT in order for to validate it. e.g. In case the clients signs the JWT with a private key the OpenID provider will need the public key. If the client uses a JSON web key then the OpenID provider would need the Public key of that web key
...
| Code Block |
|---|
{
"claims":
{
"login_hint": "8422263",
"scope": "openid profile signature RELATEDPARTY:clientname",
"acr_values": "sim-sign",
"iss": "clientid",
"aud": "https://idp.audkenni.is/oauth2/realms/root/realms/audkenni",
"exp": 238932499002,
"binding_message": "binding display message",
"binding_content": "binding content"
"nexus_url": "https://ms.audkenni.is/plugout-server-4.25.4/api/v1/1d29c733-cb05-4b82-a4f1-40acccf72284"
},
"key":"{{private_key}}",
"alg":"RS256"
}
|
Next to the scope the following parameters can be modified:
Parameter | Description | ||||
|---|---|---|---|---|---|
login_hint | In case the sim solution is used to sign the message this MUST contain the mobile number of the user | ||||
scope | In case of a proxy scenario this should contain the name of the initial requesting party | ||||
acr_values | This determines the method that is going to be used to sign the message. Valid values are sim_sign and nexus_sign | ||||
binding_message | This is the message that the user will see when receiving the sign request | ||||
binding_content | This is the actual content that will be signed | ||||
nexus_url | This parameter is required for the when nexus_sign is used as acr_values nexus_sign. It contains the url of the nexus personal connection that is setup with the enduser. A example html page that will generate that script can be downloaded
|
...
A postman collection that replicated the CIBA flow can be found here.