SlideShare a Scribd company logo

OpenID Connect CIBA Core Overview

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

Draft presentation providing an overview of the OpenID Connect Client Initiated Backchannel Authentication (CIBA) Core specification prepared for the FDX DevCon 3.5 meeting held Sep. 10-11, 2019.

1 of 8
CIBA An overview of OpenID Connect Client Initiated Backchannel Authentication September 10, 2019 Anoop Saxena OpenID Foundation, Co-Chair FAPI Working Group Bjorn Hjelm OpenID Foundation, Co-Chair MODRNA Working Group
What is CIBA? OpenID Connect Client Initiated Backchannel Authentication (CIBA) flow is an authentication flow initiated via server-to-server communication between an Relying Party (RP) and OpenID Provider (OP) without redirects through the user’s browser that allows an RP that has an identifier for a user to obtain tokens from the OP. This specification use the concept of a Consumption Device (on which the user interacts with the RP) and an Authentication Device (on which the user authenticates with the OP and grants consent). The user starts the flow with the RP on the Consumption Device while authenticates and grants consent on the Authentication Device.
Client Application Backchannel Authentication Endpoint Authorization Server New New endpoint defined by CIBA Backchannel authentication request Every CIBA flow starts from a backchannel authentication request. Client sends a backchannel authentication request to the backchannel authentication endpoint of the authorization server Source: Authlete
Client Application Backchannel Authentication Endpoint Authorization Server Authentication Device Backchannel Authentication Endpoint returns a response immediately Authorization Server delegates the tasks of end-user authentication and consent confirmation to the Authentication Device. Authentication Device passes the result to the Authorization Server. 1 2 3 Source: Authlete
Poll, Ping and Push • Poll – RP polls the token endpoint. • Ping – OP sends a notification to the RP. RP gets tokens from token endpoint. • Push – OP pushes tokens to the RP. Three token delivery modes. Client receive an ID Token, Access Token and optionally a Refresh Token through either Poll, Ping or Push modes (established by the Client at registration time).
FAPI Profile of CIBA • Financial-grade API: Client Initiated Backchannel Authentication Profile specification profiles the CIBA Core specification and provides security recommendations for its use with APIs that require financial-grade security. – Recommendations for CIBA implementation with Financial-grade API Part 1: Read-Only API Security Profile and Part 2: Read and Write API Security Profile. – Accessing protected resources (when the client does not control the consumption device). – Security considerations (such as binding between Authentication and Consumption Devices, JWS/JWE algorithm considerations and CIBA token delivery modes).
Specification Status Specification Status Reference OpenID Connect Client Initiated Backchannel Authentication Flow – Core Implementer’s Draft https://openid.net/specs/openid -client-initiated-backchannel- authentication-core-1_0.html Financial-grade API: Client Initiated Backchannel Authentication Profile Implementer’s Draft https://openid.net/specs/openid -financial-api-ciba.html More information available at https://openid.net/developers/specs/
Thank you http://openid.net/

More Related Content

OpenID Connect CIBA Core Overview

  • 1. CIBA An overview of OpenID Connect Client Initiated Backchannel Authentication September 10, 2019 Anoop Saxena OpenID Foundation, Co-Chair FAPI Working Group Bjorn Hjelm OpenID Foundation, Co-Chair MODRNA Working Group
  • 2. What is CIBA? OpenID Connect Client Initiated Backchannel Authentication (CIBA) flow is an authentication flow initiated via server-to-server communication between an Relying Party (RP) and OpenID Provider (OP) without redirects through the user’s browser that allows an RP that has an identifier for a user to obtain tokens from the OP. This specification use the concept of a Consumption Device (on which the user interacts with the RP) and an Authentication Device (on which the user authenticates with the OP and grants consent). The user starts the flow with the RP on the Consumption Device while authenticates and grants consent on the Authentication Device.
  • 3. Client Application Backchannel Authentication Endpoint Authorization Server New New endpoint defined by CIBA Backchannel authentication request Every CIBA flow starts from a backchannel authentication request. Client sends a backchannel authentication request to the backchannel authentication endpoint of the authorization server Source: Authlete
  • 4. Client Application Backchannel Authentication Endpoint Authorization Server Authentication Device Backchannel Authentication Endpoint returns a response immediately Authorization Server delegates the tasks of end-user authentication and consent confirmation to the Authentication Device. Authentication Device passes the result to the Authorization Server. 1 2 3 Source: Authlete
  • 5. Poll, Ping and Push • Poll – RP polls the token endpoint. • Ping – OP sends a notification to the RP. RP gets tokens from token endpoint. • Push – OP pushes tokens to the RP. Three token delivery modes. Client receive an ID Token, Access Token and optionally a Refresh Token through either Poll, Ping or Push modes (established by the Client at registration time).
  • 6. FAPI Profile of CIBA • Financial-grade API: Client Initiated Backchannel Authentication Profile specification profiles the CIBA Core specification and provides security recommendations for its use with APIs that require financial-grade security. – Recommendations for CIBA implementation with Financial-grade API Part 1: Read-Only API Security Profile and Part 2: Read and Write API Security Profile. – Accessing protected resources (when the client does not control the consumption device). – Security considerations (such as binding between Authentication and Consumption Devices, JWS/JWE algorithm considerations and CIBA token delivery modes).
  • 7. Specification Status Specification Status Reference OpenID Connect Client Initiated Backchannel Authentication Flow – Core Implementer’s Draft https://openid.net/specs/openid -client-initiated-backchannel- authentication-core-1_0.html Financial-grade API: Client Initiated Backchannel Authentication Profile Implementer’s Draft https://openid.net/specs/openid -financial-api-ciba.html More information available at https://openid.net/developers/specs/