CIBA is an acronym for Client Initiated Backchannel Authentication and its based on OpenID Connect. CIBA allows a client application, known as a consumption device, to obtain authentication and consent from a user without requiring the user to interact with the client directly. Instead, the client application can initiate a backchannel request to the user's authentication device, such as a smartphone with an authenticator app installed, to authenticate the user and consent to the operation.
The Backchannel Request grant is used when performing CIBA. The following diagram demonstrates the Backchannel Request grant flow:
More information can be found in the following blog post
For CIBA integration the OpenID Provider (Audkenni) and the Client (Relying Party in OpenID connect flow) first need to exchange their endpoints, signing data and credentials which each other.
2.1. Information provided by the OpenID provider:
The endpoints of the OpenID Provider are static and can be found here (together with other information about the Audkenni provider). The most important endpoints are:
Next to that, the OpenID Provider will provide a client_id and a client_secret to the Client (Relying Party)
2.2. Information provided by the Client:
The Relying Party only needs to provide the information how he is going to sign the request JWT in order for to validate it. e.g. In case the clients signs the JWT with a private key the OpenID provider will need the public key. If the client uses a JSON web key then the OpenID provider would need the Public key of that web key
In some cases, the Client is also an OpenID provider that received a request from other Clients and relies on Audkenni for the actual signing. This scenario is seen in the picture below.
In this case, Audkenni mandates that the information about the original Relying Party (RelatedPartyParty) is provided in the signing request as the first attribute of the RELATEDPARTY scope url parameter, e.g.:
Next to the scope the following parameters can be modified:
In case the sim solution is used to sign the message this MUST contain the mobile number of the user
In case of a proxy scenario this should contain the name of the initial requesting party
This determines the method that is going to be used to sign the message. Valid values are sim_sign and nexus_sign
This is the message that the user will see when receiving the sign request
This is the actual content that will be signed
This parameter is required when nexus_sign is used as acr_values. It contains the url of the nexus personal connection that is setup with the enduser. A example html page that will generate that script can be downloaded
The end result of the CIBA flow are two JWT tokens: the access_token and the id_token. The signing information can be found in the following attributes of the id_token:
The social security number
The certificate generated by the authenticator as a result of the sign request
The display name of the user
As a reference, a complete payload of a (decoded) id_token looks as follows: