Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIBA implementation #1066

Merged
merged 2 commits into from
Jan 8, 2025
Merged

CIBA implementation #1066

merged 2 commits into from
Jan 8, 2025

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jan 7, 2025
edited
Loading

Add support for Client Initiated Backchannel Login
Docs

The backchannel login endpoint enables applications to send an authentication request to a user’s phone (provided they have an app installed and have enrolled for Push Notification authentication using the Guardian SDK). It can be useful to authenticate users who are not physically present, such as users phoning a call center, or where the device being used does not have a screen, such as a shared bicycle or scooter.

Changes:

  • Added backchannel property in authenticationClient, source located at src/auth/backchannel.ts
  • Added unit tests for CIBA

Test results:

PASSING

Test Suites: 44 passed, 44 total
Tests:       1435 passed, 1435 total
Snapshots:   0 total
Time:        6.663 s, estimated 7 s
Ran all test suites.

Steps for manual testing:

  • Enable CIBA feature flag on your tenant (currently in EA)

  • Once CIBA is enabled, navigate to Applications>Applications in the Auth0 Dashboard. Create
    an application and then enable the Client Initiated Backchannel Authentication (CIBA) option
    in the Grant Types tab

  • Enable Push Notifications using Auth0 Guardian in Multi-factor Auth in Security.

  • Enrol a user for MFA

  • Send a CIBA request as below and poll for the backchannel grant in regular intervals

const authorizationResponse = await authenticationClient.backchannel.authorize({
  userId: 'auth0|677d2de6e2095a483f033b14',
  binding_message: 'some message here',
  scope: 'openid'
})

console.log(JSON.stringify(authorizationResponse));

await(setTimeout(5000));

const grantResponse = await authenticationClient.backchannel.backchannelGrant({auth_req_id: authorizationResponse.auth_req_id});
console.log(JSON.stringify(grantResponse));

Notes:

There are some restrictions on the types of clients that can use the CIBA grant type. You can
only use the CIBA grant type if:

  • The client is a first-party client i.e. the is_first_party property is true.
  • The client is confidential with an authentication mechanism, i.e. the
    token_endpoint_auth_method property must not be set to none.
  • The client is OIDC conformant i.e. the oidc_conformant must be true. tThis is the
    default for all new clients.

Alternatively, you can use the Management API to add the
urn:openid:params:grant-type:ciba grant type to the list of grant types on the client
object:

curl --location --request PATCH 'https://[YOURTENANT].auth0.com/api/v2/clients/[CLIENT ID]' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer [MANAGEMENT ACCESS TOKEN]' \
--data '{
"grant_types": [
"authorization_code",
"refresh_token",
"urn:openid:params:grant-type:ciba"
]
}'

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner January 7, 2025 20:46
@tusharpandey13 tusharpandey13 merged commit 0f2f042 into master Jan 8, 2025
4 checks passed
@tusharpandey13 tusharpandey13 deleted the feature/ciba branch January 8, 2025 07:48
@tusharpandey13 tusharpandey13 mentioned this pull request Jan 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nandan-bhat nandan-bhat nandan-bhat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tusharpandey13 @nandan-bhat