Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement CIBA Grant #2

Open
jokk-itu opened this issue Nov 30, 2024 · 0 comments
Open

Implement CIBA Grant #2

jokk-itu opened this issue Nov 30, 2024 · 0 comments
Assignees
@jokk-itu
Labels
epic large enhancement

Comments

@jokk-itu
Copy link
Owner

Problem

The CIBA specification has not been implemented.

Solution

Introduce a new grant_type of value "urn:openid:params:grant-type:ciba".

Discovery
Extend "grant_types_supported" with the new grant_type.
Add "backchannel_token_delivery_modes_supported" with the values "poll, ping, push".
Add "backchannel_authentication_endpoint" with the value ISSUER/connect/ciba.
Add "backchannel_authentication_request_signing_alg_values_supported" as an array of JWS values.
Add "backchannel_user_code_parameter_supported" as a boolean with value "true".

Client metadata
Add "backchannel_token_delivery_mode" with one of the following values "poll", "ping" or "push".
Add "backchannel_client_notification_endpoint" as a URI that must be HTTPS.
Add "backchannel_authentication_request_signing_alg" as a JWS value.
Add "backchannel_user_code_parameter" as a boolean.

Backchannel Authentication Endpoint
Implement the endpoint as HTTP POST.
The request content type is "application/x-www-form-urlencoded".

The following parameters can be expected:
scope, client_notification_token, acr_values, login_hint_token, id_token_hint, login_hint, binding_message, user_code and requested_expiry.

Client authentication is also expected.
The request can also be signed using the JAR specification.

The content type of the response is "application/json".
The successful status code is 200
Successful response has the following parameters in the body: auth_req_id, expires_in and interval.

The error status code is 400 for invalid parameters.
The error status code is 401 for invalid client authentication

Token Endpoint
Extend the endpoint with the ciba grant_type.
The request parameters are "grant_type" and "auth_req_id".
The successful response returns access_token, id_token, token_type, scope and optionally a refresh_token if the client is authorized for that grant_type,

The error response can include the following error codes: "authorization_pending", "slow_down", "expired_token", "access_denied", "invalid_grant" and "unauthoized_client".
@jokk-itu jokk-itu self-assigned this Nov 30, 2024
@jokk-itu jokk-itu added the epic large enhancement label Dec 2, 2024
@jokk-itu jokk-itu moved this to Analysis in AuthServer Backlog Feb 9, 2025
@jokk-itu jokk-itu moved this from Analysis to Building in AuthServer Backlog Feb 9, 2025
@jokk-itu jokk-itu moved this from Building to Analysis in AuthServer Backlog Feb 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jokk-itu jokk-itu

Labels
epic large enhancement
Projects
AuthServer Backlog
Status: Analysis
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jokk-itu