Skip to main content
POST
/
api
/
{serviceId}
/
backchannel
/
authentication
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.ciba.processAuthentication({
    serviceId: "<id>",
    backchannelAuthenticationRequest: {
      parameters: "login_hint=john&scope=openid&client_notification_token=my-client-notification-token&user_code=my-user-code",
      clientId: "26862190133482",
      clientSecret: "8J9pAEX6IQw7lYtYGsc_s9N4jlEz_DfkoCHIswJjFjfgKZX-nC4EvKtaHXcP9mHBfS7IU4jytjSZZpaK9UJ77A",
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A179001",
  "resultMessage": "[A179001] The backchannel authentication request was processed successfully.",
  "action": "USER_IDENTIFICATION",
  "clientId": 26862190133482,
  "clientIdAliasUsed": false,
  "clientName": "My CIBA Client",
  "clientNotificationToken": "my-client-notification-token",
  "deliveryMode": "POLL",
  "hint": "john",
  "hintType": "LOGIN_HINT",
  "requestedExpiry": 0,
  "scopes": [
    {
      "defaultEntry": false,
      "name": "openid"
    }
  ],
  "serviceAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "ticket": "Y1qeCf0A-JUz6caceaBfd2AaBYNZ-X-WGTP5Qv47cQI",
  "userCode": "my-user-code",
  "userCodeRequired": false
}
This API is supposed to be called from within the implementation of the backchannel authentication endpoint of the service. The endpoint implementation must extract the request parameters from the backchannel authentication request from the client application and pass them as the value of parameters request parameter for Authlete’s /backchannel/authentication API. The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application. The following code snippet is an example in JAX-RS showing how to extract request parameters from the backchannel authentication request.
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response post(String parameters)
&#123;
// 'parameters' is the entity body of the backchannel authentication request.
......
&#125;
The endpoint implementation does not have to parse the request parameters from the client application because Authlete’s /backchannel/authentication API does it. The response from /backchannel/authentication API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error” and application/json. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid. The authorization server implementation should generate a response to the client application with “400 Bad Request” and application/json. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that client authentication of the backchannel authentication request failed. Note that client authentication is always required at the backchannel authentication endpoint. This implies that public clients are not allowed to use the backchannel authentication endpoint. The authorization server implementation should generate a response to the client application with “401 Unauthorized” and application/json. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the service implementation must generate and return to the client application.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: (challenge)
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

USER_IDENTIFICATION

When the value of action is USER_IDENTIFICATION, it means that the backchannel authentication request from the client application is valid. The authorization server implementation has to follow the steps below.[1] END-USER IDENTIFICATIONThe first step is to determine the subject (= unique identifier) of the end-user from whom the client application wants to get authorization. According to the CIBA specification, a backchannel authentication request contains one (and only one) of the login_hint_token, id_token_hint and login_hint request parameters as a hint by which the authorization server identifies the subject of an end-user. The authorization server implementation can know which hint is included in the backchannel authentication request by the hintType parameter. For example, when the value of the parameter LOGIN_HINT, it means that the backchannel authentication request contains the login_hint request parameter as a hint. The value of the hint parameter is the value of the hint. For example, when the value of the hintType parameter is LOGIN_HINT, The value of the hint parameter is the value of the login_hint request parameter. It is up to the authorization server implementation how to determine the subject of the end-user from the hint. Only when the id_token_hint request parameter is used, authorization server implementation can use the sub response parameter, which holds the value of the sub claim in the id_token_hint request parameter.[2] END-USER IDENTIFICATION ERRORThere are some cases where the authorization server implementation encounters an error during the user identification process. In any error case, the service implementation has to return an HTTP response with the error response parameter to the client application. The following is an example of such error responses.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123; "error":"unknown_user_id" &#125;
Authlete provides /backchannel/authentication/fail API that builds the response body (JSON) of an error response. However, because it is easy to build an error response manually, you may choose not to call the API. One good thing in using the API is that the API call can trigger deletion of the ticket which has been issued from Authlete’s /backchannel/authentication API. If you don’t call /backchannel/authentication/fail API, the ticket will continue to exist in the database until it is cleaned up by the batch program after the ticket expires. Possible error cases that the authorization server implementation itself has to handle are as follows. Other error cases have already been covered by /backchannel/authentication API.
  • expired_login_hint_token The authorization server implementation detected that the hint presented by the login_hint_token request parameter has expired. Note that the format of login_hint_token is not described in the CIBA Core spec at all and so there is no consensus on how to detect expiration of login_hint_token. Interpretation of login_hint_token is left to each authorization server implementation.
  • unknown_user_id The authorization server implementation could not determine the subject of the end-user by the presented hint.
  • unauthorized_client The authorization server implementation has custom rules to reject backchannel authentication requests from some particular clients and found that the client which has made the backchannel authentication request is one of the particular clients. Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION in cases where the client does not exist or client authentication has failed. Therefore, the authorization server implementation will never have to use the error code unauthorized_client unless the server has intentionally implemented custom rules to reject backchannel authentication requests based on clients.
  • missing_user_code The authorization server implementation has custom rules to require that a backchannel authentication request include a user code for some particular users and found that the user identified by the hint is one of the particular users. Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION when both the backchannel_user_code_parameter_supported metadata of the server and the backchannel_user_code_parameter metadata of the client are true and the backchannel authentication request does not include the user_code request parameter. In this case, /backchannel/authentication API returns action=BAD_REQUEST with JSON containing "error":"missing_user_code". Therefore, the authorization server implementation will never have to use the error code missing_user_code unless the server has intentionally implemented custom rules to require a user code based on users even in the case where the backchannel_user_code_parameter metadata of the client which has made the backchannel authentication request is false.
  • invalid_user_code The authorization server implementation detected that the presented user code is invalid. Note that the format of user_code is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a user code is valid or not. It is up to each authorization server implementation how to handle user codes.
  • invalid_binding_message The authorization server implementation detected that the presented binding message is invalid. Note that the format of binding_message is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a binding message is valid or not. It is up to each authorization server implementation how to handle binding messages.
  • invalid_target The authorization server implementation rejects the requested target resources. The error code invalid_target is from “Resource Indicators for OAuth 2.0”. The specification defines the resource request parameter. By using the parameter, client applications can request target resources that should be bound to the access token being issued. If the authorization server wants to reject the request, call /backchannel/authentication/fail API with INVALID_TARGET.
  • access_denined The authorization server implementation has custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request in some particular cases and found that the backchannel authentication request is one of the particular cases. The authorization server implementation will never have to use the error code access_denied at this timing unless the server has intentionally implemented custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request.
[3] AUTH_REQ_ID ISSUEIf the authorization server implementation has successfully determined the subject of the end-user, the next action is to return an HTTP response to the client application which contains auth_req_id. Authlete provides /backchannel/authentication/issue API which generates a JSON containing auth_req_id, so, your next action is (1) call the API, (2) receive the response from the API, (3) build a response to the client application using the content of the API response, and (4) return the response to the client application. See the description of /backchannel/authentication/issue API for details.[4] END-USER AUTHENTICATION AND AUTHORIZATIONAfter sending a JSON containing auth_req_id back to the client application, the service implementation starts to communicate with an authentication device of the end-user. It is assumed that end-user authentication is performed on the authentication device and the end-user confirms the content of the backchannel authentication request and grants authorization to the client application if everything is okay. The authorization server implementation must be able to receive the result of the end-user authentication and authorization from the authentication device. How to communicate with an authentication device and achieve end-user authentication and authorization is up to each authorization server implementation, but the following request parameters of the backchannel authentication request should be taken into consideration in any implementation.
  • acr_values A backchannel authentication request may contain an array of ACRs (Authentication Context Class References) in preference order. If multiple authentication devices are registered for the end-user, the authorization server implementation should take the ACRs into consideration when selecting the best authentication device.
  • scope A backchannel authentication request always contains a list of scopes. At least, openid is included in the list (otherwise /backchannel/authentication API returns action=BAD_REQUEST). It would be better to show the requested scopes to the end-user on the authentication device or somewhere appropriate. If the scope request parameter contains address, email, phone and/or profile, they are interpreted as defined in “5.4. Requesting Claims using Scope Values of OpenID Connect Core 1.0”. That is, they are expanded into a list of claim names. The claimNames parameter returns the expanded result.
  • binding_message A backchannel authentication request may contain a binding message. It is a human readable identifier or message intended to be displayed on both the consumption device (client application) and the authentication device.
  • user_code A backchannel authentication request may contain a user code. It is a secret code, such as password or pin, known only to the end-user but verifiable by the authorization server. The user code should be used to authorize sending a request to the authentication device.
[5] END-USER AUTHENTICATION AND AUTHORIZATION COMPLETIONAfter receiving the result of end-user authentication and authorization, the authorization server implementation must call Authlete’s /backchannel/authentication/complete API to tell Authlete the result and pass necessary data so that Authlete can generate an ID token, an access token and optionally a refresh token. See the description of the API for details.[6] CLIENT NOTIFICATIONWhen the backchannel token delivery mode is either ping or push, the authorization server implementation must send a notification to the pre-registered notification endpoint of the client after the end-user authentication and authorization. In this case, the action parameter in a response from /backchannel/authentication/complete API is NOTIFICATION. See the description of /backchannel/authentication/complete API for details.[7] TOKEN REQUESTWhen the backchannel token delivery mode is either ping or poll, the client application will make a token request to the token endpoint to get an ID token, an access token and optionally a refresh token. A token request that corresponds to a backchannel authentication request uses urn:openid:params:grant-type:ciba as the value of the grant_type request parameter. Authlete’s /auth/token API recognizes the grant type automatically and behaves properly, so the existing token endpoint implementation does not have to be changed to support CIBA.

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

parameters
string
required

Parameters of a backchannel authentication request which are the request parameters that the backchannel authentication endpoint of the OpenID provider implementation received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId
string

The client ID extracted from Authorization header of the backchannel authentication request from the client application.

If the backchannel authentication endpoint of the OpenID provider implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

clientSecret
string

The client secret extracted from Authorization header of the backchannel authentication request from the client application.

If the backchannel authentication endpoint of the OpenID provider implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

clientCertificate
string

The client certification used in the TLS connection between the client application and the backchannel authentication endpoint of the OpenID provider.

clientCertificatePath
string[]

The client certificate path presented by the client during client authentication. Each element is a string in PEM format.

oauthClientAttestation
string

The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

oauthClientAttestationPop
string

The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

cimdOptions
object

Options for OAuth Client ID Metadata Document (CIMD).

These options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.

Response

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
BAD_REQUEST,
UNAUTHORIZED,
USER_IDENTIFICATION
responseContent
string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

clientId
integer<int64>

The client ID of the client application that has made the backchannel authentication request.

clientIdAlias
string

The client ID alias of the client application that has made the backchannel authentication request.

clientIdAliasUsed
boolean

true if the value of the client_id request parameter included in the backchannel authentication request is the client ID alias. false if the value is the original numeric client ID.

clientName
string

The name of the client application which has made the backchannel authentication request.

scopes
object[]

The scopes requested by the backchannel authentication request.

claimNames
string[]

The names of the claims which were requested indirectly via some special scopes. See 5.4. Requesting Claims using Scope Values in OpenID Connect Core 1.0 for details.

clientNotificationToken
string

The client notification token included in the backchannel authentication request.

acrs
string[]

The list of ACR values requested by the backchannel authentication request.

Basically, this property holds the value of the acr_values request parameter in the backchannel authentication request. However, because unsupported ACR values are dropped on Authlete side, if the acr_values request parameter contains unrecognized ACR values, the list returned by this property becomes different from the value of the acr_values request parameter.

hintType
string

The type of the hint for end-user identification which was included in the backchannel authentication request.

hint
string

The value of the hint for end-user identification.

sub
string

The value of the sub claim contained in the ID token hint included in the backchannel authentication request.

bindingMessage
string

The binding message included in the backchannel authentication request.

userCode
string

The binding message included in the backchannel authentication request.

userCodeRequired
boolean

The flag which indicates whether a user code is required.

true when both the backchannel_user_code_parameter metadata of the client (= Client's bcUserCodeRequired property) and the backchannel_user_code_parameter_supported metadata of the service (= Service's backchannelUserCodeParameterSupported property) are true.

requestedExpiry
integer<int32>

The requested expiry for the authentication request ID (auth_req_id).

requestContext
string

The request context of the backchannel authentication request.

It is the value of the request_context claim in the signed authentication request and its format is JSON. request_context is a new claim added by the FAPI-CIBA profile.

warnings
string[]

The warnings raised during processing the backchannel authentication request.

ticket
string

The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

resources
string[]

The resources specified by the resource request parameters or by the resource property in the request object. If both are given, the values in the request object should be set. See "Resource Indicators for OAuth 2.0" for details.

authorizationDetails
object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

serviceAttributes
object[]

The attributes of this service that the client application belongs to.

clientAttributes
object[]

The attributes of the client.

dynamicScopes
object[]

The dynamic scopes which the client application requested by the scope request parameter.

deliveryMode
enum<string>
Available options:
PING,
POLL,
PUSH
clientAuthMethod
string

The client authentication method that was performed.

gmAction
enum<string>

The grant management action of the device authorization request.

The grant_management_action request parameter is defined in Grant Management for OAuth 2.0.

Available options:
CREATE,
QUERY,
REPLACE,
REVOKE,
MERGE
grantId
string

the value of the grant_id request parameter of the device authorization request.

The grant_id request parameter is defined in Grant Management for OAuth 2.0 , which is supported by Authlete 2.3 and newer versions.

grant
object
grantSubject
string

The subject identifying the user who has given the grant identified by the grant_id request parameter of the device authorization request. Authlete 2.3 and newer versions support Grant Management for OAuth 2.0. An authorization request may contain a grant_id request parameter which is defined in the specification. If the value of the request parameter is valid, {@link #getGrantSubject()} will return the subject of the user who has given the grant to the client application. Authorization server implementations may use the value returned from {@link #getGrantSubject()} in order to determine the user to authenticate. The user your system will authenticate during the authorization process (or has already authenticated) may be different from the user of the grant. The first implementer's draft of "Grant Management for OAuth 2.0" does not mention anything about the case, so the behavior in the case is left to implementations. Authlete will not perform the grant management action when the subject passed to Authlete does not match the user of the grant.

clientEntityId
string

The entity ID of the client.

clientEntityIdUsed
boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

metadataDocumentLocation
string<uri>

The location of the client's metadata document that was used to resolve client metadata.

This property is set when client metadata was retrieved via the OAuth Client ID Metadata Document (CIMD) mechanism.

metadataDocumentUsed
boolean

Flag indicating whether a metadata document was used to resolve client metadata for this request.

When true, the client metadata was retrieved via the CIMD mechanism rather than from the Authlete database.