Client-Initiated Backchannel Authentication (CIBA)
Client-Initiated Backchannel Authentication (CIBA) is an authentication flow where the client application initiates the authentication process on behalf of the end-user. It is designed for scenarios where the end-user may not have a browser or cannot actively participate in the authentication process.
According to the specification found at https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html, Client-Initiated Backchannel Authentication (CIBA) is not applicable to Public Clients. Only Confidential Clients, such as Console Applications, Websites, or REST APIs, are eligible to use CIBA.
The CIBA specification defines two types of devices:
Consumption Device: This device initiates the CIBA flow by interacting with the OPENID Server.Authentication Device: This device receives notifications coming from the OPENID Server.
A classical use case is an E-Commerce REST API requesting an access token from the OPENID Server of the Bank. In this scenario, the Consumption Device is represented by the REST API, and the Authentication Device is the Bank Mobile Application. The Bank Mobile Application receives notifications from the OPENID Server. When the end-user accepts the consent, the Consumption Device can obtain an access token and interact with the Bank API to initiate the money transfer.
In this tutorial, we will explain how to create a Console Application (Consumption Device) that initiates a CIBA Authentication Request and obtains an Access Token by polling the Token endpoint.
The client will have the following configuration:
| Configuration | Value |
|---|---|
| Client Authentication Method | tls_client_auth |
The source code of this project can be found here.
To implement the CIBA in a console application, you'll need to follow the following steps.
1. Configure a client certificate
Utilize the administration UI to create a client certificate.
- Open the IdentityServer website at https://localhost:5002.
- In the Certificate Authorities screen, choose a Certificate Authority from the available options. Remember that the selected Certificate Authority should be trusted by your machine. You can download the certificate and import it into the appropriate Certificate Store.
- Click on the
Client Certificatestab and then proceed to click on theAdd Client Certificatebutton. - Set the value of the Subject Name to
CN=clientand click on theAddbutton. - Click on the
Downloadbutton located next to the certificate.
2. Configure an application
Utilize the administration UI to configure a new OpenID client :
- Open the IdentityServer website at https://localhost:5002.
- In the Clients screen, click on
Add clientbutton. - Choose
FAPI2.0. - Select
Deviceand click on next. - Fill-in the form like this and click on the
Savebutton to confirm the creation.
| Parameter | Value |
|---|---|
| Identifier | cibaConformance |
| Name | cibaConformance |
| Subject Name | CN=client |
3. Create a consumption device
Finally, create and configure a consumption device.
- Open a command prompt and execute the following commands to create the directory structure for the solution.
mkdir DeviceUseCIBA
cd DeviceUseCIBA
mkdir src
dotnet new sln -n DeviceUseCIBA
- Create a web project named
ConsoleAppand install theIdentityModelNuGet package.
cd src
dotnet new console -n ConsoleApp
cd ConsoleApp
dotnet add package IdentityModel
- Add the
ConsoleAppproject into your Visual Studio solution.
cd ..
dotnet sln add ./src/ConsoleApp/ConsoleApp.csproj
- Edit the
Program.csfile and copy the following code.
using IdentityModel.Client;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
var certificate = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "CN=client.pfx"));
var req = new BackchannelAuthenticationRequest()
{
Address = "https://localhost:5001/master/mtls/bc-authorize",
ClientId = "cibaConformance",
Scope = "openid profile",
LoginHint = "user",
BindingMessage = "Message",
RequestedExpiry = 200
};
var handler = new HttpClientHandler();
handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
handler.CheckCertificateRevocationList = false;
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(certificate);
var client = new HttpClient(handler);
var response = await client.RequestBackchannelAuthenticationAsync(req);
bool cont = true;
while(cont)
{
var tokenResponse = await client.RequestBackchannelAuthenticationTokenAsync(new BackchannelAuthenticationTokenRequest
{
Address = "https://localhost:5001/master/mtls/token",
ClientId = "cibaConformance",
AuthenticationRequestId = response.AuthenticationRequestId
});
if(tokenResponse.IsError)
Console.WriteLine(tokenResponse.Error);
else
{
Console.WriteLine(tokenResponse.AccessToken);
cont = false;
}
}
- Replace the
CN=client.pfxcertificate with the one you have previously downloaded.
When you run the application, a green message will be displayed in the Identity Server instance.
Copy the URL from the browser and authenticate using the following credentials:
| Credential | Value |
|---|---|
| Login | user |
| Password | password |
Once the consent is granted, the access token will be displayed by the console application.