Skip to main content

CIBA - Client Initiated Backchannel Authentication

Client Initiated Backchannel Authentication (CIBA) enables decoupled authentication where the client initiates an authentication request and the user confirms on a separate device (e.g., mobile phone push notification).

Admin CIBA Endpoints

Initiate CIBA Authentication

Start a CIBA authentication request for a user.

Endpoint: POST /uflow/admin/ciba/auth

Headers

HeaderTypeRequiredDescription
AuthorizationstringYesAdmin Bearer JWT token

Request Body

{
  "client_id": "string",
  "login_hint": "string",
  "scope": "string",
  "binding_message": "string"
}

Parameters

ParameterTypeRequiredDescription
client_idstringYesClient application ID
login_hintstringYesUser identifier (email or user ID)
scopestringNoRequested scopes
binding_messagestringNoMessage displayed to user on their device

Response

Success (200):

{
  "auth_req_id": "string",
  "expires_in": 300,
  "interval": 5
}

Poll CIBA Token

Poll for the authentication result after CIBA request.

Endpoint: POST /uflow/admin/ciba/token

Request Body

{
  "auth_req_id": "string",
  "client_id": "string"
}

Response

Success (200):

{
  "access_token": "string",
  "refresh_token": "string",
  "token_type": "bearer",
  "expires_in": 3600
}

Pending (428):

{
  "error": "authorization_pending"
}

Complete CIBA Authentication

User confirms or denies the CIBA authentication request.

Endpoint: POST /uflow/admin/ciba/complete

Headers

HeaderTypeRequiredDescription
AuthorizationstringYesBearer JWT token (of the user)

Request Body

{
  "auth_req_id": "string",
  "approved": true
}

Response

Success (200):

{
  "message": "Authentication request completed"
}

Get CIBA Request Status

Check status of a CIBA authentication request.

Endpoint: GET /uflow/admin/ciba/status/{auth_req_id}

Path Parameters

ParameterTypeRequiredDescription
auth_req_idstringYesCIBA request ID

Response

Success (200):

{
  "auth_req_id": "string",
  "status": "pending | approved | denied | expired",
  "expires_in": 300
}

List CIBA Requests

Get all pending CIBA requests for the tenant.

Endpoint: GET /uflow/admin/ciba/requests

Response

Success (200):

[
  {
    "auth_req_id": "string",
    "client_id": "string",
    "login_hint": "string",
    "status": "pending",
    "created_at": "string",
    "expires_in": 300
  }
]

Cancel CIBA Request

Cancel a pending CIBA authentication request.

Endpoint: DELETE /uflow/admin/ciba/requests/{auth_req_id}

Response

Success (200):

{
  "message": "CIBA request cancelled"
}

Tenant (End-User) CIBA Endpoints

Initiate CIBA (End-User)

Start a CIBA authentication request from the user context.

Endpoint: POST /uflow/user/ciba/auth

Headers

HeaderTypeRequiredDescription
AuthorizationstringYesEnd-user Bearer JWT token

Request Body

{
  "client_id": "string",
  "login_hint": "string",
  "scope": "string",
  "binding_message": "string"
}

Response

Success (200):

{
  "auth_req_id": "string",
  "expires_in": 300,
  "interval": 5
}

Poll CIBA Token (End-User)

Endpoint: POST /uflow/user/ciba/token

Request Body

{
  "auth_req_id": "string",
  "client_id": "string"
}

Response

Success (200):

{
  "access_token": "string",
  "refresh_token": "string",
  "token_type": "bearer",
  "expires_in": 3600
}

Complete CIBA (End-User)

Endpoint: POST /uflow/user/ciba/complete

Request Body

{
  "auth_req_id": "string",
  "approved": true
}

Response

Success (200):

{
  "message": "Authentication request completed"
}

Get CIBA Status (End-User)

Endpoint: GET /uflow/user/ciba/status/{auth_req_id}

Response

Success (200):

{
  "auth_req_id": "string",
  "status": "pending | approved | denied | expired"
}

List CIBA Requests (End-User)

Endpoint: GET /uflow/user/ciba/requests

Response

Success (200):

[
  {
    "auth_req_id": "string",
    "client_id": "string",
    "status": "pending",
    "created_at": "string"
  }
]

Cancel CIBA Request (End-User)

Endpoint: DELETE /uflow/user/ciba/requests/{auth_req_id}

Response

Success (200):

{
  "message": "CIBA request cancelled"
}

CIBA Flow

Client App                AuthSec                 User Device
    |                        |                         |
    |-- POST /ciba/auth ---->|                         |
    |<-- auth_req_id --------|                         |
    |                        |-- Push notification --->|
    |                        |                         |
    |                        |<-- POST /ciba/complete --|
    |                        |   (approved: true)      |
    |                        |                         |
    |-- POST /ciba/token --->|                         |
    |<-- access_token -------|                         |