Skip to content

Implement CIBA Grant #2

New issue
New issue
Open
Open
Implement CIBA Grant#2
Assignees
jokk-itu
Labels
epiclarge enhancement
@jokk-itu

Description

@jokk-itu
jokk-itu
opened on Nov 30, 2024

Problem

The CIBA specification has not been implemented.

Solution

Introduce a new grant_type of value "urn:openid:params:grant-type:ciba".

Discovery

Extend "grant_types_supported" with the new grant_type.
Add "backchannel_token_delivery_modes_supported" with the values "poll, ping, push".
Add "backchannel_authentication_endpoint" with the value ISSUER/connect/ciba.
Add "backchannel_authentication_request_signing_alg_values_supported" as an array of JWS values.
Add "backchannel_user_code_parameter_supported" as a boolean with value "true".

Client metadata

Add "backchannel_token_delivery_mode" with one of the following values "poll", "ping" or "push".
Add "backchannel_client_notification_endpoint" as a URI that must be HTTPS.
Add "backchannel_authentication_request_signing_alg" as a JWS value.
Add "backchannel_user_code_parameter" as a boolean.

Backchannel Authentication Endpoint

Implement the endpoint as HTTP POST.
The request content type is "application/x-www-form-urlencoded".

The following parameters can be expected:
scope, client_notification_token, acr_values, login_hint_token, id_token_hint, login_hint, binding_message, user_code and requested_expiry.

Client authentication is also expected.
The request can also be signed using the JAR specification.

The content type of the response is "application/json".
The successful status code is 200
Successful response has the following parameters in the body: auth_req_id, expires_in and interval.

The error status code is 400 for invalid parameters.
The error status code is 401 for invalid client authentication

Token Endpoint

Extend the endpoint with the ciba grant_type.
The request parameters are "grant_type" and "auth_req_id".
The successful response returns access_token, id_token, token_type, scope and optionally a refresh_token if the client is authorized for that grant_type,

The error response can include the following error codes: "authorization_pending", "slow_down", "expired_token", "access_denied", "invalid_grant" and "unauthorized_client".

Metadata

Metadata

Assignees

Labels

epiclarge enhancement

Projects

AuthServer Backlog

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions