SlideShare a Scribd company logo
CIBA
An overview of OpenID Connect Client Initiated Backchannel Authentication
September 10, 2019
Anoop Saxena
OpenID Foundation, Co-Chair FAPI Working Group
Bjorn Hjelm
OpenID Foundation, Co-Chair MODRNA Working Group
What is CIBA?
OpenID Connect Client Initiated Backchannel Authentication (CIBA) flow is an
authentication flow initiated via server-to-server communication between an Relying
Party (RP) and OpenID Provider (OP) without redirects through the user’s browser
that allows an RP that has an identifier for a user to obtain tokens from the OP.
This specification use the concept of a Consumption Device (on which the user
interacts with the RP) and an Authentication Device (on which the user authenticates
with the OP and grants consent). The user starts the flow with the RP on the
Consumption Device while authenticates and grants consent on the Authentication
Device.
Client Application
Backchannel
Authentication
Endpoint
Authorization Server
New
New endpoint
defined by CIBA
Backchannel
authentication
request
Every CIBA flow starts from a backchannel
authentication request.
Client sends a backchannel authentication
request to the backchannel authentication
endpoint of the authorization server
Source: Authlete
Client Application
Backchannel
Authentication
Endpoint
Authorization Server
Authentication
Device
Backchannel Authentication
Endpoint returns a response
immediately
Authorization Server delegates the
tasks of end-user authentication
and consent confirmation to the
Authentication Device.
Authentication Device passes the
result to the Authorization Server.
1
2
3
Source: Authlete
Poll, Ping and Push
• Poll
– RP polls the token endpoint.
• Ping
– OP sends a notification to the RP. RP
gets tokens from token endpoint.
• Push
– OP pushes tokens to the RP.
Three token delivery modes. Client receive an ID
Token, Access Token
and optionally a
Refresh Token
through either Poll,
Ping or Push modes
(established by the
Client at registration
time).
FAPI Profile of CIBA
• Financial-grade API: Client Initiated Backchannel Authentication
Profile specification profiles the CIBA Core specification and
provides security recommendations for its use with APIs that
require financial-grade security.
– Recommendations for CIBA implementation with Financial-grade
API Part 1: Read-Only API Security Profile and Part 2: Read and Write
API Security Profile.
– Accessing protected resources (when the client does not control the
consumption device).
– Security considerations (such as binding between Authentication and
Consumption Devices, JWS/JWE algorithm considerations and CIBA
token delivery modes).
Specification Status
Specification Status Reference
OpenID Connect Client Initiated
Backchannel Authentication Flow
– Core
Implementer’s
Draft
https://openid.net/specs/openid
-client-initiated-backchannel-
authentication-core-1_0.html
Financial-grade API: Client
Initiated Backchannel
Authentication Profile
Implementer’s
Draft
https://openid.net/specs/openid
-financial-api-ciba.html
More information available at https://openid.net/developers/specs/
Thank you
http://openid.net/

More Related Content

More from Bjorn Hjelm

MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG OverviewOpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG Overview
Bjorn Hjelm
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
Bjorn Hjelm
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019
Bjorn Hjelm
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
Bjorn Hjelm
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile Connect
Bjorn Hjelm
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Bjorn Hjelm
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile Profile
Bjorn Hjelm
 
Mobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the ChasmMobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the Chasm
Bjorn Hjelm
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
Bjorn Hjelm
 
IIW 27 Wednesday Session 3
IIW 27 Wednesday Session 3IIW 27 Wednesday Session 3
IIW 27 Wednesday Session 3
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
OpenID Foundation MODRNA WG overview at EIC 2018
OpenID Foundation MODRNA WG overview at EIC 2018OpenID Foundation MODRNA WG overview at EIC 2018
OpenID Foundation MODRNA WG overview at EIC 2018
Bjorn Hjelm
 
Integration of FIDO and Mobile Connect to deliver authentication globally wor...
Integration of FIDO and Mobile Connect to deliver authentication globally wor...Integration of FIDO and Mobile Connect to deliver authentication globally wor...
Integration of FIDO and Mobile Connect to deliver authentication globally wor...
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
FIDO and Mobile Connect
FIDO and Mobile ConnectFIDO and Mobile Connect
FIDO and Mobile Connect
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017
Bjorn Hjelm
 

More from Bjorn Hjelm (20)

MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
OpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG OverviewOpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG Overview
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile Connect
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile Profile
 
Mobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the ChasmMobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the Chasm
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
 
IIW 27 Wednesday Session 3
IIW 27 Wednesday Session 3IIW 27 Wednesday Session 3
IIW 27 Wednesday Session 3
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
OpenID Foundation MODRNA WG overview at EIC 2018
OpenID Foundation MODRNA WG overview at EIC 2018OpenID Foundation MODRNA WG overview at EIC 2018
OpenID Foundation MODRNA WG overview at EIC 2018
 
Integration of FIDO and Mobile Connect to deliver authentication globally wor...
Integration of FIDO and Mobile Connect to deliver authentication globally wor...Integration of FIDO and Mobile Connect to deliver authentication globally wor...
Integration of FIDO and Mobile Connect to deliver authentication globally wor...
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
FIDO and Mobile Connect
FIDO and Mobile ConnectFIDO and Mobile Connect
FIDO and Mobile Connect
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017OpenID Foundation Workshop at EIC2017
OpenID Foundation Workshop at EIC2017
 

OpenID Connect CIBA Core Overview

  • 1. CIBA An overview of OpenID Connect Client Initiated Backchannel Authentication September 10, 2019 Anoop Saxena OpenID Foundation, Co-Chair FAPI Working Group Bjorn Hjelm OpenID Foundation, Co-Chair MODRNA Working Group
  • 2. What is CIBA? OpenID Connect Client Initiated Backchannel Authentication (CIBA) flow is an authentication flow initiated via server-to-server communication between an Relying Party (RP) and OpenID Provider (OP) without redirects through the user’s browser that allows an RP that has an identifier for a user to obtain tokens from the OP. This specification use the concept of a Consumption Device (on which the user interacts with the RP) and an Authentication Device (on which the user authenticates with the OP and grants consent). The user starts the flow with the RP on the Consumption Device while authenticates and grants consent on the Authentication Device.
  • 3. Client Application Backchannel Authentication Endpoint Authorization Server New New endpoint defined by CIBA Backchannel authentication request Every CIBA flow starts from a backchannel authentication request. Client sends a backchannel authentication request to the backchannel authentication endpoint of the authorization server Source: Authlete
  • 4. Client Application Backchannel Authentication Endpoint Authorization Server Authentication Device Backchannel Authentication Endpoint returns a response immediately Authorization Server delegates the tasks of end-user authentication and consent confirmation to the Authentication Device. Authentication Device passes the result to the Authorization Server. 1 2 3 Source: Authlete
  • 5. Poll, Ping and Push • Poll – RP polls the token endpoint. • Ping – OP sends a notification to the RP. RP gets tokens from token endpoint. • Push – OP pushes tokens to the RP. Three token delivery modes. Client receive an ID Token, Access Token and optionally a Refresh Token through either Poll, Ping or Push modes (established by the Client at registration time).
  • 6. FAPI Profile of CIBA • Financial-grade API: Client Initiated Backchannel Authentication Profile specification profiles the CIBA Core specification and provides security recommendations for its use with APIs that require financial-grade security. – Recommendations for CIBA implementation with Financial-grade API Part 1: Read-Only API Security Profile and Part 2: Read and Write API Security Profile. – Accessing protected resources (when the client does not control the consumption device). – Security considerations (such as binding between Authentication and Consumption Devices, JWS/JWE algorithm considerations and CIBA token delivery modes).
  • 7. Specification Status Specification Status Reference OpenID Connect Client Initiated Backchannel Authentication Flow – Core Implementer’s Draft https://openid.net/specs/openid -client-initiated-backchannel- authentication-core-1_0.html Financial-grade API: Client Initiated Backchannel Authentication Profile Implementer’s Draft https://openid.net/specs/openid -financial-api-ciba.html More information available at https://openid.net/developers/specs/