Adding one-time authorization rules
Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.
Before you begin
You must have a configured token provider and an OAuth client with the client-initiated backchannel authentication (CIBA) grant type enabled.
Steps
-
Click Access and then go to Rules → Rules.
-
Click Add Rule.
-
In the Name field, enter a unique name, up to 64 characters long.
Special characters and spaces are allowed.
-
From the Type list, select One-Time Authorization.
-
In the Client ID field, enter the Client ID of the OAuth client.
-
Select a Client Credentials Type, then provide the information required for the selected credential type.
Choose from:
-
Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.
-
Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.
-
Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
-
-
From the Login Hint Request Attribute list, select an attribute.
When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.
-
Optional: In the Scopes field, enter or select a scope to request from the token provider. The
openidscope is automatically requested. -
Optional: Click New Value to add additional fields.
-
Optional: Click Show Advanced to configure advanced options:
-
Optional: In the Requested Expiry (S) field, enter the transaction lifetime in seconds.
If not specified, the value defined in the CIBA request policy is used.
-
Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.
-
Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.
-
Click Save.